Simple Download Monitor < 3.9.5 – Contributor+ Stored Cross-Site Scripting via File Thumbnail | CVE 2021-24693 | Plugin Vulnerabilities

Description

The plugin does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin

Proof of Concept

Add new download
Set "File Thumbnail (Optional)" to " onerror=alert(origin)//
Publish or Submit for Review (depending on role). XSS will be triggered in the Downloads List and when editing the download

Affects Plugins

simple-download-monitor

Fixed in 3.9.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

4bb559b7-8dde-4c90-a9a6-d8dcfbea53a7

Timeline

Publicly Published

2021-10-05 (about 2 years ago)

Added

2021-10-05 (about 2 years ago)

Last Updated

2022-04-15 (about 2 years ago)

Other

Published

Title

Published

2019-05-27

Title

SAML SP Single Sign On <= 4.8.72 - Cross-Site Scripting (XSS)

Published

2022-06-22

Title

LearnPress < 4.1.6.7 - Reflected Cross-Site Scripting

Published

2023-07-05

Title

SMTP Mail <= 1.3.23 - Unauthenticated Stored Cross-Site Scripting

Published

2023-10-25

Title

Fathom Analytics < 3.1.0 - Admin+ Stored XSS

Published

2021-10-04

Title

Coming Soon, Under Construction & Maintenance Mode By Dazzler < 1.6.7 - Admin+ Stored Cross-Site Scripting