WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed

Proof of Concept

- Create a new Download, add the following payload in the "Version" and "Link Label" fields from the 'Package Settings" section:"><img/src/onerror=alert(/XSS/)>. The XSS will be triggered when viewing/previewing the post with the download.

- Create a new Download, in the "Attach File" section, upload a file named a simple XSS payload or put the following payload into the "insert URL" field: "><img/src/onerror=alert('filename')>.txt then click on the '+' button next to the field and save the download. The XSS will be triggered when editing the download.

Affects Plugins

download-manager
Fixed in version 3.2.16

References

CVE
CVE-2021-24773

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Huy Nguyen (Inval1d Team)

Submitter

Huy Nguyen

Submitter website
https://www.linkedin.com/in/id-laladee/
Verified

Yes

WPVDB ID
aab2ddbb-7675-40fc-90ee-f5bfa8a5b995

Timeline

Publicly Published

2021-09-29 (about 10 months ago)

Added

2021-09-29 (about 10 months ago)

Last Updated

2022-04-09 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin