1 May 2025

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Download Manager

The developer of the WordPress plugin Download Manager has continued to not secure their plugin against authenticated persistent cross-site scripting (XSS) through shortcodes. We looked at that in the past. They didn’t work with us to get the problem fully resolved or get it done on their own. Since then, in version 3.2.98, a changelog entry suggested another attempt, “Fixed a shortcode parameter sanitization issue with the all downloads shortcode ( reported by Jack Taylor from Wordfence )”. Then a changelog for version 3.3.00 suggested another attempt, “Fixed a parameter sanitization issue with short-code [wpdm_login_form].” In looking over the code, we confirmed there is at least one more issue. We would recommend not using the plugin unless the developer shows they are committed to finally fully securing the plugin.


[Read more]

26 Feb 2024

Authenticated Information Disclosure Vulnerability in Download Manager

While reviewing the second attempt to address a vulnerability related to failure to properly sanitize, validate and or escape shortcode attributes in the WordPress plugin Download Manager. We found another issue that still hasn’t been addressed. It involves a shortcode located in the file /src/Category/Shortcodes.php. The shortcode wpdm_category_link calls the function categoryLink() in that file:


[Read more]

23 Feb 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of February 23

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

This week, we again found that vulnerability fixes in popular plugins were incomplete or hadn’t been applied to all the plugins they needed to be. Some of those have now been addressed, some haven’t. You can sign up for a free trial of our service to see if you are using plugins that are known to be vulnerable. We currently have data on plugins with at least 8.2 million installs that are known to be vulnerable and still  in the WordPress Plugin Directory. [Read more]

21 Feb 2024

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Download Manager

One of the changelog entries for the latest version of the WordPress plugin Download Manager suggested that an authenticated persistent cross-site scripting (XSS) vulnerability through a shortcode was being fixed, as it reads “Fixed input sanitization issues with short-code parameters.” In looking into the changes made, it looked like the fix was incomplete. A bit of testing confirmed that. We have reached out to the developer to let them know the fix was not completed and offer to help them address this.


[Read more]

4 Dec 2023

WordPress Download Manager Plugin Exposed Passwords, Still Is Storing Plaintext Passwords

Developers of WordPress plugins are not always open about fixing security issues in their plugins. That seems to be the case with the latest release of the 100,000+ install Download Manager plugin. The changelog for that hints that there might have been a security issue fixed, as it reads “fixed an issue with the password validation for password-protected files.” As at least one of our customers is using the plugin, we checked over that to see if there was something we should be warning about and, if so, to make sure it was fixed. We found that a security issue was addressed, though, there is another underlying issue that still hasn’t been addressed.

In the plugin’s file /src/Package/PackageLocks.php, a single line of code was removed in the new version: [Read more]

17 Feb 2023

Not Really a WordPress Plugin Vulnerability, Week of February 17

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ Stored Cross-Site Scripting in Broken Link Checker

Automattic’s WPScan claimed there had been an admin+ stored cross-site scripting via import vulnerability in the plugin Broken Link Checker. They explained it this way: [Read more]

18 Apr 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in WordPress Download Manager

Yesterday ThuraMoeMyint released two reports of a reflected cross-site scripting (XSS) vulnerability in Download Manager (WordPress Download Manager). The information provided was not of great quality, but the main description provided us enough to figure out what was going on:


[Read more]

28 Jan 2019

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in WordPress Plugin with 100,000+ Installs

As part of our work to further improve our Plugin Security Checker, an automated tool anyone can use to check to see if a WordPress plugin possibly contains security issues, we log the results of check for plugins in the Plugin Directory and do spot checks of those. Through that we found that the plugin, Download Manager, which has 100,000+ active installations according to wordpress.org, contains a reflected cross-site scripting (XSS) vulnerability.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community. [Read more]