Page 5 of 22 results (0.011 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de Cross-Site Scripting (XSS) en versiones anteriores a la 2.9.50 de WordPress Download Manager permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. The WordPress Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting parameter in versions up to, and including, 2.9.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://jvn.jp/en/jp/JVN79738260/index.html https://plugins.trac.wordpress.org/changeset/1650075 https://wordpress.org/plugins/download-manager/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 104EXPL: 1

Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php. Vulnerabilidad de salto de directorio en el plugin WordPress Download Manager para WordPress permite a atacantes remotos leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro fname en (1) views/file_download.php o (2) file_download.php. • http://packetstormsecurity.com/files/128852/WordPress-Download-Manager-Arbitrary-File-Download.html http://www.securityfocus.com/bid/70764 https://exchange.xforce.ibmcloud.com/vulnerabilities/98318 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •