WordPress Plugin Download Manager Free 2.7.94 & Pro 4 – (Authenticated) Persistent Cross-Site Scripting

• Exploit Database
• 124 阅读

• 作者： Filippos Mastrogiannis
  日期： 2015-07-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37622/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

  # WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS   # Vendor Homepage: http://www.wpdownloadmanager.com # Software Link: https://wordpress.org/plugins/download-manager # Affected Versions: Free 2.7.94 & Pro 4 # Tested on: WordPress 4.2.2   # Discovered by Filippos Mastrogiannis # Twitter: @filipposmastro # LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177   -- Description --   The stored XSS vulnerability allows any authenticated user to inject malicious code via the name of the uploaded file:   Example: <svg onload=alert(0)>.jpg   The vulnerability exists because the file name is not properly sanitized and this can lead to malicious code injection that will be executed on the target’s browser.   -- Proof of Concept --   1. The attacker creates a new download package via the plugin&apos;s menu and uploads a file with the name: <svg onload=alert(0)>.jpg   2. The stored XSS can be triggered when an authenticated user (e.g. admin) attempts to edit this download package   -- Solution --   Upgrade to the latest version