Simple Download Monitor < 3.9.5 – Contributor+ Stored Cross-Site Scripting via File Thumbnail | CVE 2021-24693 | Plugin Vulnerabilities

Description

The plugin does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin

Proof of Concept

Add new download
Set "File Thumbnail (Optional)" to " onerror=alert(origin)//
Publish or Submit for Review (depending on role). XSS will be triggered in the Downloads List and when editing the download

Affects Plugins

simple-download-monitor

Fixed in 3.9.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4bb559b7-8dde-4c90-a9a6-d8dcfbea53a7

Timeline

Publicly Published

2021-10-05 (about 4 years ago)

Added

2021-10-05 (about 4 years ago)

Last Updated

2022-04-15 (about 3 years ago)

Other

Published

Title

Published

2023-01-10

Title

YourChannel: Everything you want in a YouTube plugin < 1.2.3 - Contributor+ Stored XSS via Shortcode

Published

2024-11-13

Title

Gameplan <= 1.5.10 - Reflected Cross-Site Scripting

Published

2019-09-05

Title

WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews

Published

2021-11-08

Title

PDF.js Viewer < 2.0.2 - Contributor+ Stored Cross-Site Scripting

Published

2021-12-21

Title

Easy Forms for Mailchimp < 6.8.6 - Reflected Cross-Site Scripting