Cross-Site Scripting Vulnerability In Download Manager Plugin

On May 30, 2022, Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability to us that they discovered in Download Manager, a WordPress plugin installed on over 100,000 sites. On request, we assigned a vulnerability identifier of CVE-2022-1985.

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting protection.

Even though Wordfence provides protection against this vulnerability, we strongly recommend ensuring that your site has been updated to the latest patched version of Download Manager, which is version 3.2.43 at the time of this publication.

Description: Reflected Cross-Site Scripting
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: codename065
Affected Versions: <= 3.2.42
CVE ID: CVE-2022-1985
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Rafie Muhammad (Yeraisci)
Fully Patched Version: 3.2.43

Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files and other assets in a page or post. This function was found to be vulnerable to reflected Cross-Site Scripting.Secure coding practices would include checks to sanitize the input received by the page, and escaping that code on the output to ensure that only approved inputs and outputs are presented. Unfortunately, insufficient input sanitization and output escaping on the $_REQUEST[‘frameid’] parameter found in the ~/src/Package/views/shortcode-iframe.php file of the Download Manager plugin made it possible for an attacker to run arbitrary code in a victim’s browser by getting them to click on a specially crafted URL. This is because the ‘frameid’ parameter was echoed to the page without sufficient user input validation.

Without proper sanitization and escaping in place on user-supplied inputs, JavaScript can be used to manipulate the page. Even an unsophisticated attacker could hijack the form and use it to trick a site administrator into unknowingly disclosing sensitive information, or to collect cookie values. 

More specialized attackers would use this capability to gain administrator access or add a backdoor and take over the site. If the attacker gains this access, they would have access to the same information the administrator would be able to access, including user details and customer information.

In the case of Download Manager, customer information and access to digital products would both be at risk. If an attacker were able to trick an administrator into clicking a link that has been designed to send session cookies to the attacker, add a malicious administrator account, or implement a backdoor on the website, the attacker would also have free reign in the administrator panel, giving them the ability to modify checkout settings and even add fake products to the website.

Conclusion

In today’s post, we discussed a reflected Cross-Site Scripting (XSS) vulnerability in Download Manager. While this would require tricking an administrator into clicking a link or performing some other action, it still offers the potential for site takeover. As such we urge you to update to the latest version of this plugin, 3.2.43 as of this writing, as soon as possible.

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

Congratulations to Ravie Muhammad for discovering and responsibly disclosing this vulnerability to the plugin’s developers. As a reminder, Wordfence is a CVE Numbering Authority (CNA) and we can assign CVE IDs to your vulnerability discoveries in WordPress Plugins, Themes, and Core. If you need a CVE for one of your WordPress finds, please fill out our form here. Your vulnerability discovery may be featured on our blog with your permission!

The post Cross-Site Scripting Vulnerability In Download Manager Plugin appeared first on Wordfence.

Leave a Comment