WordPress Plugin Vulnerabilities

Dwnldr 1.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

User agent strings are logged when requesting downloads that are processed by dwnldr and displayed back to the admin with no encoding, allowing for scripts to be stored and executed.

Proof of Concept

Affects Plugins

Plugin icon
dwnldr
Fixed in 1.01

References

CVE
CVE-2016-10964
URL
https://rastating.github.io/dwnldr-1-0-stored-xss-disclosure

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
Rob Carr
Submitter website
http://blog.rastating.com/
Submitter twitter
iamrastating
Verified
No
WPVDB ID
702b4a5a-8d11-4242-b5e7-84aaafb9c11e

Timeline

Publicly Published
2016-07-18 (about 9 years ago)
Added
2016-07-19 (about 9 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2026-01-05
Title
ForumWP – Forum & Discussion Board < 2.1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name
Published
2025-02-26
Title
BuddyBoss Platform < 2.8.00 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'link_title'
Published
2023-08-11
Title
Kangu para WooCommerce < 2.2.10 - Reflected XSS
Published
2024-11-12
Title
Product Delivery Date for WooCommerce - Lite < 2.8.1 - Reflected Cross-Site Scripting
Published
2021-09-06
Title
Appointment Hour Booking < 1.3.16 - Admin+ Stored Cross-Site Scripting