WordPress Download Manager Free version 2.7.94 and Pro version 4 suffer from a persistent cross site scripting vulnerability.
0309ec8cd7dbe37e81c6995f0bb31b5a363fb77bdd24d0b90bc2454f50653838# WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS
# Vendor Homepage: http://www.wpdownloadmanager.com
# Software Link: https://wordpress.org/plugins/download-manager
# Affected Versions: Free 2.7.94 & Pro 4
# Tested on: WordPress 4.2.2
# Discovered by Filippos Mastrogiannis
# Twitter: @filipposmastro
# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177
-- Description --
This stored XSS vulnerability allows any authenticated wordpress user
to inject malicious code via the name of the uploaded file:
e.g. <svg onload=alert(0)>.jpg
The vulnerability exists because the file name is not properly sanitized
and this can lead to malicious code injection that will be executed on the
target’s browser
-- Proof of Concept --
1. The attacker creates a new download package via the plugin's menu
and uploads a file with the name: <svg onload=alert(0)>.jpg
2. The stored XSS can be triggered when an authenticated user (e.g. admin)
attempts to edit this download package
-- Solution --
Upgrade to the latest version
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed