Reflected XSS in WordPress Download Manager could allow an attacker to do almost anything an admin can

Score Vector Complexity Authentication Confidentiality Integrity Availability
5.8
Medium
Network Medium None Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Vulnerability

This plugin outputs $_GET[‘id’] inside HTML without escaping, meaning that anybody able to convince an admin to follow a link can add arbitrary HTML to the page.

Proof of concept

  1. Sign in
  2. Activate the plugin
  3. Visit the following URL in a browser without XSS mitigation (i.e. Firefox): http://localhost/wp-admin/admin-ajax.php?action=wpdm_generate_password&id=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E

Mitigation/further actions

Upgrade to version 2.9.52 or later.