WordPress Plugin Download Manager Free 2.7.94 & Pro 4 – (Authenticated) Persistent Cross-Site Scripting

• Exploit Database
• 19 阅读

• 作者： Filippos Mastrogiannis
  日期： 2015-07-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37622/

• # WordPress Download Manager Free 2.7.94 & Pro 4 Authenticated Stored XSS
  
  # Vendor Homepage: http://www.wpdownloadmanager.com
  # Software Link: https://wordpress.org/plugins/download-manager
  # Affected Versions: Free 2.7.94 & Pro 4
  # Tested on: WordPress 4.2.2
  
  # Discovered by Filippos Mastrogiannis
  # Twitter: @filipposmastro
  # LinkedIn: https://www.linkedin.com/pub/filippos-mastrogiannis/68/132/177
  
  -- Description --
  
  The stored XSS vulnerability allows any authenticated user to inject malicious code via the name of the uploaded file:
  
  Example: <svg onload=alert(0)>.jpg
  
  The vulnerability exists because the file name is not properly sanitized 
  and this can lead to malicious code injection that will be executed on the 
  target’s browser.
  
  -- Proof of Concept --
  
  	
  1. The attacker creates a new download package via the plugin's menu
  and uploads a file with the name: <svg onload=alert(0)>.jpg 
  
  2. The stored XSS can be triggered when an authenticated user (e.g. admin)
  attempts to edit this download package
  
  -- Solution --
  
  Upgrade to the latest version