WordPress Plugin Vulnerabilities

WSM Downloader <= 1.4.0 - Domain Name Restriction Bypass

Description

The plugin allows only specific popular websites to download images/files from, this can be bypassed due to the lack of good "link" parameter validation

Proof of Concept

Affects Plugins

Plugin icon
wsm-downloader
No known fix

References

CVE
CVE-2022-2367

Miscellaneous

Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
raadfhaddad
Verified
Yes
WPVDB ID
46afb0c6-2d0c-4a20-a9de-48f35ca93f0f

Timeline

Publicly Published
2022-07-12 (about 3 years ago)
Added
2022-07-12 (about 3 years ago)
Last Updated
2023-04-15 (about 2 years ago)

Other

Published
Title
Published
2022-12-27
Title
WP Limit Login Attempts <= 2.6.5 - IP Spoofing
Published
2025-12-12
Title
Login Lockdown & Protection < 2.15 - IP Block Bypass
Published
2025-11-26
Title
SKT PayPal for WooCommerce < 1.5 - Unauthenticated Payment Bypass
Published
2017-01-26
Title
WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
Published
2016-11-10
Title
W3 Total Cache < 0.9.5 - Weak Validation of Amazon SNS Push Messages