Recently I have installed WordPress Download Manager, a download manager that gives you a full control over file downloads.
After installing the plugin it was time to test it. So the first thing to do is to create a download package, you have to enter a title, a description and the file(s) you want your users to download.
It turned out that the title input field is not properly sanitized and therefor is vulnerable to Persistent Cross Site Scripting.
The payload entered in the input field is:
test <input onmouseover=prompt(document.cookie)>
Needless to say is that with different payloads it is possible to perform other actions to attack one of the administrators.
Informing the author
Once this finding was discovered, the author of the Download Manager was informed. However, apparently this finding is not going to be fixed anytime soon. Here is the response I’ve received:
Thanks for pointing the issue, anyhow its in wp-admin admin section, so if the user want to mess his site wishfully, only then it may happen, anyhow as we are already moving to custom post type, all those issues will not be a matter anymore.
It is true that this part is in the admin section and that not any user can perform this action however, large sites with multiple admins could abuse this vulnerability. Aside from that, my personal opinion is that developers should always sanitize their inputs because this could lead to a lot of other issues such as being able to purchase the Download Manager Pro version for only $0.01 – more about this later!!
Please note that this security issue has been resolved in the latest version!