This plugin outputs $_GET[‘id’] inside HTML without escaping, meaning that anybody able to convince an admin to follow a link can add arbitrary HTML to the page.
Proof of concept
- Sign in
- Activate the plugin
- Visit the following URL in a browser without XSS mitigation (i.e. Firefox): http://localhost/wp-admin/admin-ajax.php?action=wpdm_generate_password&id=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E
Upgrade to version 2.9.52 or later.