WordPress Plugin Download Manager Free 2.7.94 & Pro 4 - (Authenticated) Persistent Cross-Site Scripting








# WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS

# Vendor Homepage: http://www.wpdownloadmanager.com
# Software Link: https://wordpress.org/plugins/download-manager
# Affected Versions: Free 2.7.94 & Pro 4
# Tested on: WordPress 4.2.2

# Discovered by Filippos Mastrogiannis
# Twitter: @filipposmastro
# LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177

-- Description --

The stored XSS vulnerability allows any authenticated user to inject malicious code via the name of the uploaded file:

Example: <svg onload=alert(0)>.jpg

The vulnerability exists because the file name is not properly sanitized 
and this can lead to malicious code injection that will be executed on the 
target’s browser.

-- Proof of Concept --

1. The attacker creates a new download package via the plugin's menu
and uploads a file with the name: <svg onload=alert(0)>.jpg 

2. The stored XSS can be triggered when an authenticated user (e.g. admin)
attempts to edit this download package

-- Solution --

Upgrade to the latest version