CVE-2023-6954 in Download Manager Plugin
Summary
by MITRE • 03/13/2024
The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.2.85 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/18/2025
The vulnerability identified as CVE-2023-6954 affects the Download Manager Pro plugin for WordPress, representing a critical stored cross-site scripting flaw that has significant implications for WordPress site security. This vulnerability exists in all versions up to and including 3.2.85, making it a widespread concern for administrators who have not yet updated their installations. The issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, which allows malicious actors to inject persistent malicious scripts that can execute in the context of other users' browsers.
The technical nature of this vulnerability places it squarely within the category of CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security that enables attackers to inject malicious code into web pages viewed by other users. The flaw specifically manifests when user-supplied attributes are processed through the plugin's shortcode functionality without proper validation or sanitization, creating an environment where malicious payloads can be stored and executed later. This stored XSS vulnerability is particularly dangerous because the injected scripts persist on the server and execute whenever affected pages are accessed, making it a latent threat that can affect multiple users over extended periods.
The operational impact of this vulnerability is substantial for WordPress administrators and site owners, as it requires only authenticated access with contributor-level permissions or higher to exploit effectively. This means that attackers who have gained access to accounts with these privileges can leverage the vulnerability to compromise other users who may not have elevated permissions. The attack vector allows for persistent script injection that can be used to steal session cookies, redirect users to malicious sites, deface content, or even execute more sophisticated attacks such as credential harvesting or privilege escalation within the WordPress environment. The fact that this vulnerability affects the plugin's shortcode functionality means that it can be exploited through various legitimate content management pathways, making detection and prevention more challenging for security teams.
From a mitigation standpoint, the primary and most effective solution is to upgrade to a patched version of the Download Manager Pro plugin, which should address the input sanitization and output escaping deficiencies. System administrators should implement immediate monitoring of user accounts with contributor-level permissions to detect any unusual activity that might indicate exploitation attempts. Additionally, implementing proper input validation at multiple layers of the application stack, including the plugin's shortcode processing functions, can provide defense-in-depth measures. The vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as it could be exploited through maliciously crafted shortcodes embedded in content that users might inadvertently interact with. Organizations should also consider implementing Content Security Policy (CSP) headers as an additional protective measure, though this will not prevent the stored XSS itself, it can mitigate the potential damage from successful exploitation attempts. Regular security audits of WordPress plugins and themes remain essential for maintaining overall system security posture and preventing similar vulnerabilities from being exploited in the future.