CVE-2022-2436: 
WordPress vulnerability analysis and mitigation

The WordPress Download Manager plugin (versions up to 3.2.49) was identified with a deserialization vulnerability tracked as CVE-2022-2436. The vulnerability was discovered by Rasoul Jahanshahi and publicly disclosed on August 17, 2022. This security issue affects the plugin's handling of the 'file[package_dir]' parameter, potentially allowing authenticated users with contributor-level privileges or higher to exploit the vulnerability (WPScan).

The vulnerability is classified as an Object Injection/Deserialization of untrusted data (CWE-502) issue. It received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical issue stems from improper validation of the 'file[package_dir]' parameter, which allows attackers to use PHAR wrapper for deserializing data and calling arbitrary PHP Objects (NVD).

The vulnerability could allow attackers to perform various malicious actions if a suitable PHP Object Pollution (POP) chain is present in the target environment. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected systems (Wordfence).

The vulnerability was fixed in version 3.2.50 of the WordPress Download Manager plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).