WordPress Plugin Vulnerabilities

CM Download Manager < 2.8.0 - Authenticated Cross-Site Scripting

Description

The plugin does not properly validate and sanitise the uploaded filename, which could result in a Cross-Site Scripting issue.

Proof of Concept

Affects Plugins

Plugin icon
cm-download-manager
Fixed in 2.8.0

References

CVE
CVE-2020-27344
URL
https://gist.github.com/qwebee/da79c6a9fa982c3c40988a1e0598c0d9

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
qwebee
Verified
No
WPVDB ID
461d770c-98be-4c09-9fe8-da4fe74aac2b

Timeline

Publicly Published
2020-10-22 (about 5 years ago)
Added
2020-10-22 (about 5 years ago)
Last Updated
2020-10-23 (about 5 years ago)

Other

Published
Title
Published
2025-01-30
Title
WPRadio – WordPress Radio Streaming Plugin < 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2019-09-07
Title
Qwiz Online Quizzes And Flashcards <= 3.36 - Unauthenticated Reflected Cross Site Scripting
Published
2024-10-01
Title
Demo Importer Plus < 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2024-03-12
Title
Sky Addons for Elementor < 2.5.0 - Authenticated(Contributor+) Stored Cross-site scripting via Wrapper Link URL
Published
2024-12-16
Title
Image Mapper <= 0.2.5.3 - Reflected Cross-Site Scripting