Reflected XSS vulnerability found in the WordPress Download Manager opens the gate for Hackers and they also do anything an admin can do.
WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. It holds Active installs:90,000+ and the latest version 2.9.52.
XSS (short for Cross-Site Scripting) is a widespread vulnerability that affects many web applications. The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page.Read More about XSS.
This vulnerability was disclosed by Tom Adams, this plugin outputs $_GET[‘id’] inside HTML without escaping which means anyone able to convince an admin to follow a link can add arbitrary HTML to the page. For POC refer dxwSecurity.
Also Read How to Do Penetration testing with your WordPress website detailed Explanation
2017-03-30: Discovered
2017-05-26: Reported to contact () w3eden com
2017-06-09: First response from vendor saying it’s been fixed and an update will be coming soon
2017-06-09: Version 2.9.52 released “Fixed issue with input data formatting”
2017-06-16: Advisory published
Update to version 2.9.52 or later.
You can update from Dashboard >> Updates >> Update Now OR through Plugins >> Installed plugins >> Update.
Also Read WordPress AffiliateWP Plugin Vulnerable for Cross-Site Scripting
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…