Download Manager < 3.2.62 – Contributor+ Stored XSS | CVE 2022-4476 | Plugin Vulnerabilities

Description

The plugin does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks against logged-in admins.

Proof of Concept

1. “Enable modal login form” option in the “Downloads > Settings > Frontend Access > Front-end Settings” section.

2. Exploit shortcode:

[wpdm_modal_login_form class='" onmouseover="alert(1)']

Affects Plugins

download-manager

Fixed in 3.2.62

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

856cac0f-2526-4978-acad-d6d82a0bec45

Timeline

Publicly Published

2022-12-20 (about 1 years ago)

Added

2022-12-20 (about 1 years ago)

Last Updated

2022-12-20 (about 1 years ago)

Other

Published

Title

Published

2022-01-27

Title

WHMCS Bridge < 6.4b - Reflected Cross-Site Scripting (XSS)

Published

2023-04-24

Title

Recipe Maker For Your Food Blog from Zip Recipes < 8.0.7 - Reflected XSS

Published

2019-06-24

Title

Custom 404 Pro < 3.2.8 - XSS

Published

2023-09-25

Title

PowerPress Podcasting < 11.0.12 - Contributor+ Stored XSS

Published

2024-04-30

Title

Slider Revolution < 6.7.8 - Authenticated (Author+) Stored Cross-Site Scripting via htmltag Parameter