ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Download Manager Free 2.7.94 & Pro 4 - Authenticated Stored XSS

Product
Download Manager Free & Pro
Description
Download Manager Free and Pro is prone to an authenticated stored XSS that allows an attacker to create new download package and upload files, called <svg onload=alert(0)>.jpg. This vulnerability works, when user try to edit this download package.
Solution
Upgrade to the latest version.
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
Exploit-DB
CVE
Name CVE-N/A
Versions
Affected In <= 4.2.2
Fixed In 4.2.3
Disclosure date
2015-07-16
Credits
Filippos Mastrogiannis