Z-Downloads < 1.11.7 - Cross-Site Scripting

The plugin does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript. id: CVE-2024-8673 info: name: Z-Downloads 1.11.7 - Cross-Site Scripting author: Splint3r7 severity: low description: | The plugin does not properly validate uploaded files...

CVE-2024-8703

The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs...

CVE-2024-8673

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript...

CVE-2024-8703

The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs...

CVE-2024-8699

The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to for example in multisite setup...

CVE-2024-8673

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript...

CVE-2024-8703

The CVE reports a stored Cross-Site Scripting vulnerability in the Z-Downloads WordPress plugin prior to version 1.11.6. The root cause is insufficient sanitisation/escaping of certain parameters when they are output on share URLs, enabling unauthenticated users to inject script code. Affected so...

CVE-2024-8703 Z-Downloads < 1.11.6 - Unauthenticated Stored XSS

The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs...

CVE-2024-8703 Z-Downloads < 1.11.6 - Unauthenticated Stored XSS

The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs...

CVE-2024-8673 Z-Downloads < 1.11.7 - Admin+ Stored XSS via SVG Upload

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript...

CVE-2024-8699 Z-Downloads < 1.11.5 - Admin+ Arbitrary File Upload

The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to for example in multisite setup...

CVE-2024-8699 Z-Downloads < 1.11.5 - Admin+ Arbitrary File Upload

The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to for example in multisite setup...

CVE-2024-8673 Z-Downloads < 1.11.7 - Admin+ Stored XSS via SVG Upload

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript...

CVE-2024-8699

The CVE targets the Z-Downloads WordPress plugin prior to version 1.11.5. Affected component: file upload handling in the plugin. Root cause: uploaded files are not properly validated, enabling high-privilege users (e.g., admins) to upload arbitrary files on the server, including in multisite con...

WordPress plugin Z-Downloads 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

WordPress plugin Z-Downloads 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

PT-2025-21530 · Unknown · Z-Downloads

Name of the Vulnerable Software and Affected Versions: Z-Downloads WordPress plugin versions prior to 1.11.5 Description: The issue allows high privilege users, such as admin, to upload arbitrary files on the server even when they should not be allowed to, for example in a multisite setup. This i...

PT-2025-21529 · WordPress · Z-Downloads

Name of the Vulnerable Software and Affected Versions: Z-Downloads versions prior to 1.11.7 Description: The issue concerns the Z-Downloads WordPress plugin, which does not properly validate uploaded files. This allows for the uploading of SVG files that contain malicious JavaScript...

PT-2025-21534 · WordPress · Z-Downloads

Name of the Vulnerable Software and Affected Versions: Z-Downloads WordPress plugin versions prior to 1.11.6 Description: The issue arises from the plugin's failure to properly sanitise and escape certain parameters when they are displayed on the page. This oversight could allow unauthenticated...

WordPress Z-Downloads Plugin <= 1.11.3 is vulnerable to Arbitrary File Upload

Software Z-Downloads Type Plugin Vulnerable versions = 1.11.3 Fixed in 1.11.4 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2024-34555 Patch priority Low CVSS severity Low 9.1 Developer Claim ownership PSID b00ddc85506e Credits younsoung kim, SeoHyeon Lee, MyungJu Kim,...