CVE-2022-2362: 
WordPress vulnerability analysis and mitigation

The Download Manager WordPress plugin before version 3.2.50 contains a security vulnerability identified as CVE-2022-2362. The vulnerability was discovered by Raad Haddad of Cloudyrion GmbH and was publicly disclosed on August 1, 2022. This vulnerability affects the IP address validation mechanism in the WordPress Download Manager plugin (WPScan).

The vulnerability stems from the plugin's IP address validation implementation, where it incorrectly prioritizes visitor IP addresses from certain HTTP headers over PHP's REMOTE_ADDR. This implementation flaw has been assigned a CVSS v3 Base Score of 7.5 (High), with an Impact Score of 3.6 and Exploitability Score of 3.9. The vulnerability requires no privileges (PR:N) or user interaction (UI:N) and can be exploited over the network (AV:N) with low attack complexity (AC:L) (AttackerKB).

The vulnerability allows attackers to bypass IP-based download blocking restrictions implemented by the plugin. This could potentially lead to unauthorized access to protected downloads and circumvention of download access controls (WPScan).

The vulnerability has been patched in version 3.2.50 of the Download Manager plugin. Users are advised to update to this version or later to mitigate the vulnerability (WPScan).