Wordpress Threats

W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin

10alert
10alert
2 Min Read

W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin

On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

Contents
W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress PluginVulnerability Summary from Wordfence Intelligence

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

We contacted W3 Eden on April 25, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Download Manager

The members.php view file

There are two other shortcodes, a login form shortcode ([wpdm_login_form]) and a registration form shortcode ([wpdm_reg_form]), that add forms to a WordPress site. However, the insecure implementation of these two shortcode functions, similar to the previous example, also allows arbitrary web scripts to be inserted into these pages. Examining the code reveals that the functions of both forms do not adequately sanitize the user-supplied ‘logo’ input, and in the view files these ‘logo’ outputs are not adequately escaped.

class Login
{
    function form($params=array())
    {
        global $current_user;

        if (!isset($params) || !is_array($params)) $params=array();

        if (isset($params) && is_array($params))
            extract($params);

The form method in the Login class

    
            
                


Source: wordfence.com

Translate this article

TAGGED: , , , ,
Share This Article

STAY CONECTED

LAST 10 ALERT

Two privilege escalation vulnerability in Simple Membership Plugin
Two privilege escalation vulnerability in Simple Membership Plugin
Wordpress Threats
How to get the latest Windows 11 innovations
Windows
Dynamic Lighting is now available on Windows 11
Windows
Writing poems using LLama 2 on Workers AI
Writing poems using LLama 2 on Workers AI
Apps
serverless GPU-powered inference on Cloudflare’s global network
serverless GPU-powered inference on Cloudflare’s global network
Apps
Lost your password?