CVE-2021-24969 in WordPress Download Manager Plugin
Summary
by MITRE • 12/27/2021
The WordPress Download Manager WordPress plugin before 3.2.22 does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any authenticated users such as subscriber is able to call it and perform Cross-Site Scripting attacks
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2025
The vulnerability identified as CVE-2021-24969 affects the WordPress Download Manager plugin version prior to 3.2.22, representing a critical cross-site scripting flaw that stems from inadequate input sanitization and output escaping mechanisms. This vulnerability exists within the plugin's handling of template data across multiple interface points including both admin dashboard and frontend pages, creating an attack surface where malicious actors can inject malicious scripts into the application's output streams. The flaw specifically manifests in the wpdm_save_template AJAX action which lacks proper authorization and cross-site request forgery validation checks, allowing any authenticated user account regardless of privilege level to exploit this weakness.
The technical exploitation of this vulnerability occurs through the manipulation of template data within the WordPress environment, where the plugin fails to properly sanitize user-supplied input before rendering it in web pages. This absence of sanitization creates a persistent XSS vector that can be leveraged by attackers to execute malicious scripts in the context of the victim's browser session. The vulnerability is particularly concerning because it does not require elevated privileges to exploit, as the wpdm_save_template endpoint accepts requests from any authenticated user including low-privilege subscribers, effectively democratizing the attack surface. The lack of CSRF protection further compounds the risk by eliminating the need for complex attack vectors that would typically require social engineering or session manipulation techniques.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, deface websites, steal sensitive information, or redirect users to malicious domains. Attackers can craft malicious template content that, when rendered in the browser, executes scripts that can capture user credentials, manipulate the application interface, or exfiltrate data from the WordPress installation. The vulnerability affects not just the frontend experience but also the administrative dashboard, potentially allowing attackers to gain unauthorized access to plugin settings, modify download configurations, or even escalate their privileges within the WordPress environment. This represents a significant threat to website integrity and user data security, particularly in environments where multiple user roles exist and where the plugin is extensively used for content delivery.
Organizations should immediately upgrade to WordPress Download Manager version 3.2.22 or later to remediate this vulnerability, as this patch addresses the core sanitization and authorization issues within the wpdm_save_template AJAX endpoint. Additional mitigations include implementing proper input validation at multiple layers, enforcing strict authorization checks before processing template modifications, and deploying content security policies to limit script execution. The vulnerability aligns with CWE-79 (Cross-site Scripting) and maps to ATT&CK technique T1566 (Phishing) and T1059 (Command and Scripting Interpreter) as attackers can leverage the XSS to establish persistent access or execute additional malicious payloads. Regular security audits of plugin installations, implementation of web application firewalls, and monitoring for unauthorized template modifications should form part of a comprehensive defense strategy against similar vulnerabilities in the WordPress ecosystem.