Executive Summary

This vulnerability exists in the Download Manager plugin for WordPress, specifically in versions up to and including 3.3.52. It is a Stored Cross-Site Scripting (XSS) issue that arises from insufficient input sanitization and output escaping of the 'sid' parameter in the 'wpdm_members' shortcode.

The 'sid' parameter is taken from user input without proper sanitization in the members() function and stored using update_post_meta(). Later, it is output directly into an HTML id attribute in the members.php template without applying the necessary escaping function esc_attr().

Because of this, authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute whenever any user accesses the affected page, potentially compromising user security.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with contributor-level access or above to inject malicious scripts into WordPress pages via the 'sid' parameter. These scripts execute in the context of users visiting the infected pages.

• Execution of arbitrary JavaScript code in users' browsers.
• Potential theft of user session cookies or credentials.
• Defacement or manipulation of website content.
• Possible redirection to malicious websites.
• Compromise of user trust and website integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the 'sid' parameter of the 'wpdm_members' shortcode in the Download Manager plugin for WordPress. Detection involves checking for the presence of malicious or unexpected script content injected via this parameter.

You can detect attempts to exploit this vulnerability by searching your WordPress database for suspicious or script-injected values stored in post meta related to the 'sid' parameter.

• Use a database query to find suspicious 'sid' values, for example in MySQL: SELECT * FROM wp_postmeta WHERE meta_key LIKE '%sid%' AND meta_value LIKE '%<script>%';
• Check your WordPress pages or posts rendered with the 'wpdm_members' shortcode for unexpected HTML id attributes containing script tags.
• Monitor web server logs for requests containing the 'sid' parameter with suspicious payloads.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately update the Download Manager plugin to a version later than 3.3.52 where the issue is fixed.

If an update is not immediately possible, restrict contributor-level and above user permissions to trusted users only, as exploitation requires authenticated contributor-level access.

Review and sanitize any stored 'sid' parameter values in your database to remove injected scripts.

Consider disabling or removing the 'wpdm_members' shortcode temporarily until the plugin is updated.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized script execution when users access the affected pages.

Such XSS vulnerabilities can potentially lead to unauthorized access to user data or session hijacking, which may impact compliance with data protection regulations like GDPR or HIPAA by compromising confidentiality and integrity of personal or sensitive information.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Useful 0 Not Useful 0