The plugin does not escape a generated URL before outputting it back in an attribute of the login page made by the plugin, leading to Reflected Cross-Site Scripting, which is only exploitable against unauthenticated users
On the login page from the plugin (ie where the [wpdm_login_form] is embed), append ?a"><script>alert(/XSS/)</script> e.g: against an unauthenticated user, https://example.com/wpdm-login/?a"><script>alert(/XSS/)</script>
2022-06-27 (about 7 months ago)
2022-06-27 (about 7 months ago)
2022-06-27 (about 7 months ago)