Reflected XSS vulnerability found in the WordPress Download Manager opens the gate for Hackers and they also do anything an admin can do.
WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. It holds Active installs:90,000+ and the latest version 2.9.52.
XSS (short for Cross-Site Scripting) is a widespread vulnerability that affects many web applications. The danger behind XSS is that it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page.Read More about XSS.
This vulnerability was disclosed by Tom Adams, this plugin outputs $_GET[‘id’] inside HTML without escaping which means anyone able to convince an admin to follow a link can add arbitrary HTML to the page. For POC refer dxwSecurity.
Also Read How to Do Penetration testing with your WordPress website detailed Explanation
2017-03-30: Discovered
2017-05-26: Reported to contact () w3eden com
2017-06-09: First response from vendor saying it’s been fixed and an update will be coming soon
2017-06-09: Version 2.9.52 released “Fixed issue with input data formatting”
2017-06-16: Advisory published
Update to version 2.9.52 or later.
You can update from Dashboard >> Updates >> Update Now OR through Plugins >> Installed plugins >> Update.
Also Read WordPress AffiliateWP Plugin Vulnerable for Cross-Site Scripting
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…