Jump to content
Sign in to follow this  
Javier D.

XSS Vulnerability - Simple Download Monitor WordPress Plugin

Recommended Posts

The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload (aka Downloadable File) parameter in an edit action to wp-admin/post.php. 

Publish Date : 2018-01-04 Last Update Date : 2018-01-04

 

Following this submitted issue at GitHub

Quote

When I login into the wordpress panel, assume I have a low privilege role like a contributor user.

Because the admin user has turned on the option of the wp-plugin simple-download-monitor, a normal user like me can also use it.

Now I can write something in the function "Edit Download":


http://localhost/wordpress/wp-admin/post.php?post=x&action=edit

But when I fuzz the parameters in this plugin, I found when I write something into these points, it does not filter well:


1. File Thumbnail (Optional)
2. Downloadable File (Visitors will download this item)

image
image

While it tell us to enter a valid URL of the file in the text box below, I can write something with evil content like:


http://www.test.com/1.php'"><svg/onload=alert(document.cookie)><'"

Then we can publish the post or just submit it to the admin user for an audit.

image

It won't be long beofore I get the other user, even the admin user's cookie or do something more evilly.

image
image

Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin simple-download-monitor.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Welcome to Skytells

    This is the official community for Skytells, Inc,
    we're glad to see you've stopped by! We'd love to have you join our community please take a moment to register and join in on the conversation.

  • Recently Browsing   0 members

    No registered users viewing this page.

×