# Exploit Title: WordPress Plugin: WordPress Download Manager Free & Pro Persistent Cross Site Scripting # Google Dork: # Date: 12-06-2013 # Exploit Author: IT Nerdbox # Vendor Homepage: http://www.wpdownloadmanager.com # Software Link: http://downloads.wordpress.org/plugin/download-manager.zip # Version: v3.3.8 # Tested on: WordPress 3.7.1 on Linux CentOS # CVE : N/A When creating a new download package you need to enter a title, description and the file(s) that you want to be available for download. The title input field is not sanitized and therefor vulnerable to persistent cross site scripting. The payload used is <input onmouseover=prompt(document.cookie)> More information, including screenshots, can be found at: http://www.nerdbox.it/wordpress-download-manager-xss/Брой прочитания на тази страница: 1105
WordPress Download Manager Free & Pro 2.5.8 – Persistent Cross Site Scripting