The plugin does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed
- Create a new Download, add the following payload in the "Version" and "Link Label" fields from the 'Package Settings" section:"><img/src/onerror=alert(/XSS/)>. The XSS will be triggered when viewing/previewing the post with the download. - Create a new Download, in the "Attach File" section, upload a file named a simple XSS payload or put the following payload into the "insert URL" field: "><img/src/onerror=alert('filename')>.txt then click on the '+' button next to the field and save the download. The XSS will be triggered when editing the download.
Huy Nguyen (Inval1d Team)
Huy Nguyen
Yes
2021-09-29 (about 1 years ago)
2021-09-29 (about 1 years ago)
2022-04-09 (about 9 months ago)