CVE-2017-2217 – WordPress Download Manager < 2.9.51 - Open Redirect
https://notcve.org/view.php?id=CVE-2017-2217
Open redirect vulnerability in WordPress Download Manager prior to version 2.9.51 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Una vulnerabilidad de redirección abierta en versiones anteriores a la 2.9.51 de WordPress Download Manager permite a atacantes remotos redirigir usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing utilizando vectores no especificados. • https://jvn.jp/en/jp/JVN79738260/index.html https://plugins.trac.wordpress.org/changeset/1650075 https://wordpress.org/plugins/download-manager/#developers • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2017-18032 – WordPress Download Manager <= 2.9.51 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18032
The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdm_generate_password action to wp-admin/admin-ajax.php. El plugin download-manager en versiones anteriores a la 2.9.52 para WordPress tiene XSS mediante el parámetro id en una acción wpdm_generate_password en wp-admin/admin-ajax.php. • https://security.dxw.com/advisories/xss-download-manager https://wordpress.org/plugins/download-manager/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-2216 – WordPress Download Manager <= 2.9.49 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-2216
Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de Cross-Site Scripting (XSS) en versiones anteriores a la 2.9.50 de WordPress Download Manager permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. The WordPress Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting parameter in versions up to, and including, 2.9.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://jvn.jp/en/jp/JVN79738260/index.html https://plugins.trac.wordpress.org/changeset/1650075 https://wordpress.org/plugins/download-manager/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-8585
https://notcve.org/view.php?id=CVE-2014-8585
Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php. Vulnerabilidad de salto de directorio en el plugin WordPress Download Manager para WordPress permite a atacantes remotos leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro fname en (1) views/file_download.php o (2) file_download.php. • http://packetstormsecurity.com/files/128852/WordPress-Download-Manager-Arbitrary-File-Download.html http://www.securityfocus.com/bid/70764 https://exchange.xforce.ibmcloud.com/vulnerabilities/98318 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2013-7319 – Download Manager < 2.5.9 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-7319
Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field. Vulnerabilidad de XSS en el plugin Download Manager anterior a 2.5.9 para WordPress permite a atacantes remotos inyectar script Web o HTML arbitrario a través del campo "title". • https://www.exploit-db.com/exploits/30105 http://secunia.com/advisories/55969 http://wordpress.org/plugins/download-manager/changelog http://www.exploit-db.com/exploits/30105 http://www.nerdbox.it/wordpress-download-manager-xss http://www.securityfocus.com/bid/64159 http://www.wpdownloadmanager.com/support/topic/security-issue-found-who-to-contact https://exchange.xforce.ibmcloud.com/vulnerabilities/89524 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •