Reflected XSS in WordPress Download Manager could allow an attacker to do almost anything an admin can


Last revised:

This plugin outputs $_GET[‘id’] inside HTML without escaping, meaning that anybody able to convince an admin to follow a link can add arbitrary HTML to the page.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Sign in
  2. Activate the plugin
  3. Visit the following URL in a browser without XSS mitigation (i.e. Firefox): http://localhost/wp-admin/admin-ajax.php?action=wpdm_generate_password&id=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E

Advisory timeline

  • 2017-03-30: Discovered
  • 2017-05-26: Reported to┬á
  • 2017-06-09: First response from vendor saying it’s been fixed and an update will be coming soon
  • 2017-06-09: Version 2.9.52 released “Fixed issue with input data formatting”
  • 2017-06-16: Advisory published
  • 2017-09-29: Requested CVE

Mitigation/further actions

Upgrade to version 2.9.52 or later.