WordPress Plugin Vulnerabilities

WP-DownloadManager < 1.68.7 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape some of the download settings (such as download_path, download_path_url and download_page_url), which could allow high privilege users to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wp-downloadmanager
Fixed in 1.68.7

References

CVE
CVE-2022-25605
CVE
CVE-2022-25606
URL
https://plugins.trac.wordpress.org/changeset/2641400

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Ex.Mi
Verified
No
WPVDB ID
940913e1-551c-4b8e-a433-dcf09b6f3390

Timeline

Publicly Published
2022-01-12 (about 4 years ago)
Added
2022-03-20 (about 4 years ago)
Last Updated
2022-04-11 (about 4 years ago)

Other

Published
Title
Published
2025-01-16
Title
BizLibrary <= 1.1 - Reflected Cross-Site Scripting
Published
2023-05-15
Title
ConvertKit < 2.2.1 - Reflected XSS
Published
2026-03-08
Title
Themify Event Post < 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-04-09
Title
AddFunc Head & Footer Code < 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
Published
2024-08-13
Title
Chatbot Support AI <= 1.0.2 - Admin+ Stored XSS