Reflected XSS in WP Download Codes

Credit

This vulnerability has been discovered and reported by Carl Clegg (carl(at)cjc(dot)im)

Timeline

• 2016-07-15: Vendor Notified
• 2016-11-21 Advisory Published

Product

The plugin enables to generation and management of download codes for different types of files (zip, mp3, ...). Author: Blog post

Risk / Severity Rating

Not Calculated

Description and Impact

The yourcode parameter when viewing a download code form allows for XSS.

`$html .= dc_msg( 'code_enter' ) .' <input type="text" name="code_' . $shortcode_id . '" value="' . ( $post_code != "" ? $post_code : ( $_GET['yourcode'] != "" ? $_GET['yourcode'] : "" ) ) . '" size="20" /> ';`

Proof of Concept

http://wordpress.site/download-code/?yourcode=%22%3E%3Cscript%20src=data:%26comma;alert(1)//

Solution

Disable the plugin until an upgrade is available

References

• XSS here

Legal

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.

home