ThreatPress

WordPress Vulnerabilities Database

Back

WordPress Simple Download Monitor plugin <=3.5.3 - Authenticated Cross-Site Scripting (XSS) vulnerability

Product
Simple Download Monitor
Description
Authenticated Cross-Site Scripting (XSS) vulnerability found by wpl0v3r in WordPress Simple Download Monitor plugin (versions <=3.5.3). Vulnerable to Cross-Site Scripting via the "sdm_upload_thumbnail" parameter in an edit action to wp-admin/post.php.
Solution
Update the WordPress Simple Download Monitor plugin to the latest available version (at least 3.5.4).
Classification
Type XSS (Cross Site Scripting)
OWASP Top 10 A3: Cross Site Scripting (XSS)
References
Plugin changelog
CVE
Name CVE-2018-5212
Versions
Affected In <=3.5.3
Fixed In 3.5.4
Disclosure date
2018-01-09
Credits
wpl0v3r
Submitter
ThreatPress