WordPress Plugin Vulnerabilities

Download Monitor < 4.4.7 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the post_id and downloadable_file_version parameters, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
download-monitor
Fixed in 4.4.7

References

CVE
CVE-2021-23174

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.4 (low)

Miscellaneous

Original Researcher
Ex.Mi
Verified
No
WPVDB ID
ede6d5af-b641-478c-8e74-b0c02ba26a97

Timeline

Publicly Published
2021-10-29 (about 4 years ago)
Added
2022-01-29 (about 4 years ago)
Last Updated
2022-04-09 (about 4 years ago)

Other

Published
Title
Published
2022-05-09
Title
External Links in New Window / New Tab < 1.43 - Unauthenticated Stored Cross-Site Scripting
Published
2024-03-29
Title
WP Twitter Mega Fan Box Widget <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2026-04-15
Title
WP Shortcodes Plugin — Shortcodes Ultimate < 7.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode
Published
2024-07-01
Title
Mega Elements < 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-09-24
Title
WP DSGVO Tools (GDPR) < 3.1.24 - Unauthenticated Plugin's Settings Update to Stored Cross-Site Scripting