CVE-2022-2981: 
WordPress vulnerability analysis and mitigation

CVE-2022-2981 affects the Download Monitor WordPress plugin versions before 4.5.98. The vulnerability was discovered and publicly disclosed on September 19, 2022. This security issue impacts WordPress installations using the affected versions of the Download Monitor plugin (WPScan).

The vulnerability is classified as a File Download vulnerability with a CVSS v3.1 Base Score of 4.9 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The issue is categorized under CWE-552 (Files or Directories Accessible to External Parties). The technical flaw lies in the plugin's failure to properly validate file paths, allowing access to files outside the intended blog folders (NVD, WPScan).

The vulnerability allows high-privilege users such as administrators to download sensitive files like wp-config.php or /etc/passwd, even in hardened environments or multisite setups. This could lead to the exposure of critical system configuration information and sensitive data (WPScan).

The vulnerability has been fixed in version 4.5.98 of the Download Monitor plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).