Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Download Manager
The developer of the WordPress plugin Download Manager has continued to not secure their plugin against authenticated persistent cross-site scripting (XSS) through shortcodes. We looked at that in the past. They didn’t work with us to get the problem fully resolved or get it done on their own. Since then, in version 3.2.98, a changelog entry suggested another attempt, “Fixed a shortcode parameter sanitization issue with the all downloads shortcode ( reported by Jack Taylor from Wordfence )”. Then a changelog for version 3.3.00 suggested another attempt, “Fixed a parameter sanitization issue with short-code [wpdm_login_form].” In looking over the code, we confirmed there is at least one more issue. We would recommend not using the plugin unless the developer shows they are committed to finally fully securing the plugin.
…