WordPress Download Manager < 3.2.16 – Admin+ Stored Cross-Site Scripting | CVE 2021-24773

Description

The plugin does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed

Proof of Concept

- Create a new Download, add the following payload in the "Version" and "Link Label" fields from the 'Package Settings" section:"><img/src/onerror=alert(/XSS/)>. The XSS will be triggered when viewing/previewing the post with the download.

- Create a new Download, in the "Attach File" section, upload a file named a simple XSS payload or put the following payload into the "insert URL" field: "><img/src/onerror=alert('filename')>.txt then click on the '+' button next to the field and save the download. The XSS will be triggered when editing the download.