Skip to content

Vulnerability Report: Stored-XSS bug at the latest version of simple-download-monitor #27

Closed
@d4wner

Description

@d4wner

Well ,sir ,I just found a Stored-XSS bug here.

When I login into the wordpress panel, assume I have a low privilege role like a contributor user.

Because the admin user has turned on the option of the wp-plugin simple-download-monitor, a normal user like me can also use it.

Now I can write something in the function "Edit Download":

http://localhost/wordpress/wp-admin/post.php?post=x&action=edit

But when I fuzz the parameters in this plugin, I found when I write something into these points, it does not filter well:

1. File Thumbnail (Optional)
2. Downloadable File (Visitors will download this item)

image
image

While it tell us to enter a valid URL of the file in the text box below, I can write something with evil content like:

http://www.test.com/1.php'"><svg/onload=alert(document.cookie)><'"

Then we can publish the post or just submit it to the admin user for an audit.

image

It won't be long beofore I get the other user, even the admin user's cookie or do something more evilly.

image
image

Well, by the way, I just test the bug in the wordpress 4.9.1 and the latest version of the wp-plugin simple-download-monitor.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions