Download Monitor < 4.5.91 - Admin+ Arbitrary File Download

The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.

N/A

对外部实体的文件或目录可访问

WordPress plugin Download Monitor 安全漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Download Monitor 4.5.91之前的版本存在安全漏洞，该漏洞源于该插件不确保要下载的文件在博客文件夹内，并且不敏感，即使在强化环境或多站点设置中，管理员等高权限用户也可以下载 wp-config.php 或 /

N/A

N/A