WordPress Download Manager – XSS

Security Findings Share this post

Recently I have installed WordPress Download Manager, a download manager that gives you a full control over file downloads.

After installing the plugin it was time to test it. So the first thing to do is to create a download package, you have to enter a title, a description and the file(s) you want your users to download.

It turned out that the title input field is not properly sanitized and therefor is vulnerable to Persistent Cross Site Scripting.

Wordpress Download Manager PXSS01

The payload entered in the input field is:

This will create an input field after the text test, when you hover over the input field the javascript payload will be executed and in this case the cookies are displayed.

Wordpress Download Manager PXSS02

Needless to say is that with different payloads it is possible to perform other actions to attack one of the administrators.

Informing the author
Once this finding was discovered, the author of the Download Manager was informed. However, apparently this finding is not going to be fixed anytime soon. Here is the response I’ve received:

Thanks for pointing the issue, anyhow its in wp-admin admin section, so if the user want to mess his site wishfully, only then it may happen, anyhow as we are already moving to custom post type, all those issues will not be a matter anymore.

It is true that this part is in the admin section and that not any user can perform this action however, large sites with multiple admins could abuse this vulnerability. Aside from that, my personal opinion is that developers should always sanitize their inputs because this could lead to a lot of other issues such as being able to purchase the Download Manager Pro version for only $0.01 – more about this later!!

Please note that this security issue has been resolved in the latest version!

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePin on PinterestShare on RedditDigg thisShare on TumblrShare on YummlyShare on StumbleUponFlattr the author

About the Author


Currently I am working as an Information Security Consultant & Project Manager at Comsec Consulting. I provide consulting in several areas of security including but not limited to: penetration testing, application vulnerability assessments, network vulnerability assessments, and wireless security. I also participate in PCI-DSS and PA-DSS certification projects.

Leave a Reply

Your email address will not be published. Required fields are marked *

Web Design MymensinghPremium WordPress ThemesWeb Development

Android devices at risk again

August 8, 2015August 8, 2015
Security researchers from Checkpoint revealed new security issues that allow attackers to compromise hundred of million Android devices by a simple text message. The problem resides the way Google’s partners use certificates to sign remote support tools. Certificates are supposed to guarantee the authenticity of applications in order to allow them to access different parts of the Android Operating System. The vulnerabilities in Android allows attackers to clone these certificates and use them in a malicious way. It is possible to send a text message to a phone to force those remote access tools to launch commands. Revoking the cloned certificates is not considered a proper solution as these certificates will no longer be valid for the support tools as well. In order to resolve this issue, the manufacturer partners and carriers are required to work together to update the vulnerable plugins. Among the vulnerable plugins are RSupport, TeamViewer and Communitake.  

FBI Cracks TrueCrypt Password

August 8, 2015
According to recent reporting by South Florida's Sun Sentinel, the FBI has managed to crack a TrueCrypt password in the case of Christopher Glenn. Army counter intelligence expert Gerald Parsons noted that in his estimation, it would have taken "billions" of years to do so by traditional methods with current capabilities. Source:

GHOST: GNU C Library RCE Vulnerability

January 28, 2015January 28, 2015
In more detail, a heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call.

RCE in PolarSSL

January 19, 2015January 19, 2015
Dutch researchers have discovered RCE in PolarSSL. RCE is short for Remote Code Execution, which allows malicious users - in certain cases only  - to run code on the server. When a web server that uses PolarSSL processes an "evil certificate', the attack (Remote Code Execution) can be executed. An example when the attack is possible, is when a server is configured to check for client certificates. In this case the malicious user is not required to have a valid certificate or credentials. Sending a false certificate to the server is sufficient enough to execute the attack. In certain cases it is also found possible to attack users that connect to a web server that uses PolarSSL. The Dutch National Cyber Security Center released this document. The CVE-ID for this vulnerability is: CVE-2015-1182. More information can be found at PolarSSL.

UK: Ban encrypted messaging apps

January 13, 2015January 13, 2015
The British Prime Minister David Cameron is considering to ban encrypted messaging apps like Snapchat, CryptoCat, WhatsApp and Apple’s iMessage if the companies don't give the UK government backdoor access to their encrypted communications. Cameron said the Paris terror attacks outlined the need for greater access on the encrypted communications. In his remarks, the attacks were aimed at messaging apps that encrypt messages to secure users' communications. If he wins the next election and re-elected, he would seek to ban the encrypted communication apps as part of his plans for new surveillance powers. "The attacks in Paris demonstrated the scale of the threat that we face and the need to have robust powers through our intelligence and security agencies in order to keep our people safe.", Cameron said. Encryption became a hot topic in the wake of the National Security Agency whistle blower Edward Snowden’s revelations on NSA surveillance. The leaked files revealed that Skype has a backdoor, highlighted a broad online global surveillance of encryption companies. However, messaging companies such as WhatsApp remained committed to keeping their services encrypted so that the communications between their users remain unable to be read by authorities. The Prime Minister didn’t name specific apps that could be subject to the ban but a number of popular messaging apps that use encryption in some or the other form, including Snapchat, WhatsApp, iMessage and FaceTime, should be considered in the list.

XBOX One SDK Leaked

January 3, 2015January 3, 2015
The XBOX One SDK leaked earlier this week by a group that call themselves H4LT. The software development kit (or SDK) for the Xbox One is circulating on the internet. This potentially opens the door for homemade applications and allowing unapproved developers to create homebrew for the system. [caption id="attachment_851" align="alignleft" width="300"]XBOX One SDK Setup XBOX One SDK Setup[/caption]                 [caption id="attachment_850" align="alignleft" width="300"]Install the XBOX One Software Development Kit Install the XBOX One Software Development Kit[/caption]                 H4LT said that there are currently no exploits available which allow a developer to run homebrew code on the XBOX One. By leaking it to the public they hope that someone familiar with the inner workings of Windows 8 will be able to dig through the files and find something interesting in the near future. H4LT quoted: "Once the SDK is out, people who have knowledge or has in the past reversed files related to the Windows (8) operating system should definitely have a go at reversing some files in there," the group added. "Why? Well, the Xbox One is practically a stripped Windows 8 device and has introduced a new package format that hasn't had much attention. This format is responsible for updating the console and storing applications (Games are under the category of 'Applications' on the Xbox One) and is a modification of Virtual Hard Disks."