Vulnerability Description
The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. This is due to insufficient input sanitization and output escaping on the 'frameid' parameter found in the ~/src/Package/views/shortcode-iframe.php file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| W3Eden | Download Manager | <= 3.2.42 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://wordpress.org/plugins/download-manager/#developers
- https://www.wordfence.com/blog/2022/06/security-vulnerability-download-manager-pExploitThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79fcf18e-39f7-42f2-90e
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1985Third Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://wordpress.org/plugins/download-manager/#developers
- https://www.wordfence.com/blog/2022/06/security-vulnerability-download-manager-pExploitThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79fcf18e-39f7-42f2-90e
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1985Third Party Advisory
FAQ
What is CVE-2022-1985?
CVE-2022-1985 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. This is due to insufficient input sanitization and output escaping on...
How severe is CVE-2022-1985?
CVE-2022-1985 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-1985?
Check the references section above for vendor advisories and patch information. Affected products include: W3Eden Download Manager.