CVE-2022-2926: 
WordPress vulnerability analysis and mitigation

The Download Manager WordPress plugin before version 3.2.55 contains a path traversal vulnerability (CVE-2022-2926) that was discovered and disclosed on September 5, 2022. The vulnerability affects the WordPress plugin download-manager and allows high-privilege users such as administrators to list and read arbitrary files and folders outside of the blog directory (WPScan).

The vulnerability is classified as a path traversal (CWE-22) with a CVSS v3.1 base score of 4.9 (Medium). The attack vector is network-based, with low attack complexity but requires high privileges and no user interaction. The vulnerability has an impact on confidentiality but does not affect integrity or availability. The vulnerability stems from improper validation of the 'File Browser Root' setting in the plugin (AttackerKB, WPScan).

When exploited, the vulnerability allows authenticated administrators to access and read files and folders located outside of the WordPress blog directory. This could potentially lead to unauthorized access to sensitive system files and information disclosure (WPScan).

The vulnerability has been fixed in Download Manager version 3.2.55. Users are advised to update to this version or later to mitigate the risk (WPScan).