Wordpress Threats

W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin

10alert
10alert
2 Min Read

W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress Plugin

On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

Contents
W3 Eden Addresses Authenticated Stored XSS Vulnerability in Download Manager WordPress PluginVulnerability Summary from Wordfence Intelligence

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

We contacted W3 Eden on April 25, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Download Manager

The members.php view file

There are two other shortcodes, a login form shortcode ([wpdm_login_form]) and a registration form shortcode ([wpdm_reg_form]), that add forms to a WordPress site. However, the insecure implementation of these two shortcode functions, similar to the previous example, also allows arbitrary web scripts to be inserted into these pages. Examining the code reveals that the functions of both forms do not adequately sanitize the user-supplied ‘logo’ input, and in the view files these ‘logo’ outputs are not adequately escaped.

class Login
{
    function form($params=array())
    {
        global $current_user;

        if (!isset($params) || !is_array($params)) $params=array();

        if (isset($params) && is_array($params))
            extract($params);

The form method in the Login class

    
            
                


Source: wordfence.com

Translate this article

TAGGED: , , , ,
Share this Article

STAY CONECTED

LAST 10 ALERT

Safeguards against firmware signed with stolen MSI keys
Threats
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
News
How to enable Taskbar End Task option to close apps on Windows 11
News
How to check USB4 devices specs from Settings on Windows 11
News
Lost your password?