CVE-2022-3076: 
WordPress vulnerability analysis and mitigation

CVE-2022-3076 is a security vulnerability affecting the CM Download Manager WordPress plugin versions before 2.8.6. The vulnerability was discovered and publicly disclosed on September 5, 2022. It affects the file upload functionality within the plugin, specifically impacting WordPress installations using the CM Download Manager plugin (WPScan).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434). It received a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The technical issue allows high-privilege users such as administrators to upload arbitrary files by configuring any extension through the plugin's settings, which could potentially be exploited in multisite blog environments to upload PHP files (NVD, WPScan).

The vulnerability could allow authenticated administrators to upload potentially malicious PHP files to the WordPress installation. This could lead to remote code execution if exploited, particularly in multisite blog environments where individual site administrators could compromise the entire WordPress installation (WPScan).

The vulnerability has been patched in version 2.8.6 of the CM Download Manager plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).