WordPress Plugin Vulnerabilities

Download Manager <= 2.9.93 - Authenticated Cross-Site Scripting (XSS)

Description

In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publish_date .
By adding parameter "> and add any XSS payload , the xss payload will execute.

To reproduce,

1. Go to the link where we can find ?orderby
2. Add parameters >" and give simple payload like <script>alert(1)</script>
3. The payload will execute.

Another reflected cross-site scripting via advance search .

Proof of Concept

Affects Plugins

Plugin icon
download-manager
Fixed in 2.9.94

References

CVE
CVE-2019-15889
Exploitdb
47350
URL
https://packetstormsecurity.com/files/#152511/
URL
https://plugins.trac.wordpress.org/changeset/2070388/download-manager

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
MgThuraMoeMyint
Submitter
MgThuraMoeMyint
Submitter twitter
mgthuramoemyint
Verified
No
WPVDB ID
333d63eb-7846-4cc3-abd9-b00e12b25037

Timeline

Publicly Published
2019-04-17 (about 6 years ago)
Added
2019-04-23 (about 6 years ago)
Last Updated
2021-01-19 (about 5 years ago)

Other

Published
Title
Published
2021-02-24
Title
NextGEN Gallery Pro < 3.1.11 - Reflected Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Uploadify Integration 0.9.6 - Multiple Cross Site Scripting Vulnerabilities
Published
2023-03-30
Title
PixFields <= 0.7.0 - Contributor+ Stored Cross-Site Scripting
Published
2024-09-30
Title
Move Addons for Elementor < 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-06-13
Title
FooGallery < 2.4.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Custom URL