CVE-2024-4160 in Download Manager Plugin
Summary
by MITRE • 05/31/2024
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm-all-packages' shortcode in all versions up to, and including, 3.2.90 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/27/2025
The CVE-2024-4160 vulnerability affects the Download Manager plugin for WordPress, specifically targeting versions up to and including 3.2.90. This represents a critical security flaw that enables stored cross-site scripting attacks through the plugin's 'wpdm-all-packages' shortcode functionality. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's shortcode implementation. Security researchers have identified that this flaw allows authenticated attackers with contributor-level privileges or higher to inject malicious scripts that persist within the plugin's data handling processes.
The technical exploitation of this vulnerability occurs through the manipulation of shortcode attributes that are processed by the plugin's internal functions. When an attacker with sufficient privileges creates or modifies content using the 'wpdm-all-packages' shortcode, they can inject malicious JavaScript code within the attribute values. The vulnerability exists because the plugin does not adequately sanitize these inputs before storing them in the database or rendering them in web pages. This stored malicious content becomes executable whenever legitimate users access pages containing the compromised shortcode, creating a persistent threat vector that can affect any user who views the affected content.
From an operational impact perspective, this vulnerability poses significant risks to WordPress installations using the Download Manager plugin. Attackers can leverage this flaw to execute arbitrary scripts in the context of authenticated users' browsers, potentially leading to session hijacking, data theft, or privilege escalation within the WordPress environment. The vulnerability affects all users who have access to the plugin's shortcode functionality, making it particularly dangerous in multi-user environments where contributors or authors might have access to content management features. The stored nature of the XSS vulnerability means that the malicious code remains persistent and continues to execute until manually removed from the system.
The vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws that occur when untrusted data is sent to a web browser without proper sanitization or escaping. This particular instance also relates to ATT&CK technique T1566 which covers social engineering through malicious content injection, and T1059 which involves executing malicious code through various scripting mechanisms. Organizations using affected versions of the Download Manager plugin should immediately implement mitigations including updating to the latest available version, implementing proper input validation on shortcode attributes, and reviewing existing content for potential malicious scripts. Additionally, administrators should consider restricting contributor-level access to shortcode functionality and implementing monitoring systems to detect unauthorized content modifications. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly in content management systems where user-generated content processing occurs.