Dec07
0

WordPress Download Manager – XSS

Security Findings Share this post

Recently I have installed WordPress Download Manager, a download manager that gives you a full control over file downloads.

After installing the plugin it was time to test it. So the first thing to do is to create a download package, you have to enter a title, a description and the file(s) you want your users to download.

It turned out that the title input field is not properly sanitized and therefor is vulnerable to Persistent Cross Site Scripting.

Wordpress Download Manager PXSS01

The payload entered in the input field is:

This will create an input field after the text test, when you hover over the input field the javascript payload will be executed and in this case the cookies are displayed.

Wordpress Download Manager PXSS02

Needless to say is that with different payloads it is possible to perform other actions to attack one of the administrators.

Informing the author
Once this finding was discovered, the author of the Download Manager was informed. However, apparently this finding is not going to be fixed anytime soon. Here is the response I’ve received:

Hi,
Thanks for pointing the issue, anyhow its in wp-admin admin section, so if the user want to mess his site wishfully, only then it may happen, anyhow as we are already moving to custom post type, all those issues will not be a matter anymore.

It is true that this part is in the admin section and that not any user can perform this action however, large sites with multiple admins could abuse this vulnerability. Aside from that, my personal opinion is that developers should always sanitize their inputs because this could lead to a lot of other issues such as being able to purchase the Download Manager Pro version for only $0.01 – more about this later!!

Please note that this security issue has been resolved in the latest version!

About the Author

JDiel

Currently I am working as an Information Security Consultant & Project Manager at Comsec Consulting. I provide consulting in several areas of security including but not limited to: penetration testing, application vulnerability assessments, network vulnerability assessments, and wireless security. I also participate in PCI-DSS and PA-DSS certification projects.

Leave a Reply

Your email address will not be published. Required fields are marked *


− 2 = five

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">