W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin
On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.
We contacted W3 Eden on April 25, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Description: Download Manager
The members.php view file
There are two other shortcodes, a login form shortcode ([wpdm_login_form]
) and a registration form shortcode ([wpdm_reg_form]
), that add forms to a WordPress site. However, the insecure implementation of these two shortcode functions, similar to the previous example, also allows arbitrary web scripts to be inserted into these pages. Examining the code reveals that the functions of both forms do not adequately sanitize the user-supplied ‘logo’ input, and in the view files these ‘logo’ outputs are not adequately escaped.
class Login
{
function form($params=array())
{
global $current_user;
if (!isset($params) || !is_array($params)) $params=array();
if (isset($params) && is_array($params))
extract($params);
The form method in the Login class
Source: wordfence.com