Easy Media Download < 1.1.5 – Authenticated Stored Cross-Site Scripting

Description

The ‘Button Text’ field in used while posting a file download was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post. It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Easy Media Download by naa986 version 1.1.4 and below are affected.

Proof of Concept

[easy_media_download url="http://example.com/wp-content/uploads/file.zip" text="Free Download <script>alert(document.cookie)</script>"]

Affects Plugins

easy-media-download

Fixed in 1.1.5

References

URL

https://packetstormsecurity.com/files/#158877/

URL

https://melbin.in/2020/08/14/stored-xss-vulnerability-in-wordpress-easy-media-download-plugin/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Melbin K Mathew

Verified

WPVDB ID

75adcc87-6389-4175-a040-c1cd7f1ecc55

Timeline

Publicly Published

2020-08-17 (about 5 years ago)

Added

2020-08-17 (about 5 years ago)

Last Updated

2021-09-01 (about 4 years ago)

Other

Published

Title

Published

2021-02-01

Title

Ivory Search < 4.5.11 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2024-06-20

Title

My Favorites < 1.4.4 - Contributor+ Stored XSS

Published

2025-01-14

Title

Event Registration Calendar By vcita <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-05

Title

Recurring PayPal Donations < 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-04-10

Title

wp secure <= 1.2 - Reflected Cross-Site Scripting