CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18032 – WordPress Download Manager <= 2.9.51 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18032
The download-manager plugin before 2.9.52 for WordPress has XSS via the id parameter in a wpdm_generate_password action to wp-admin/admin-ajax.php. El plugin download-manager en versiones anteriores a la 2.9.52 para WordPress tiene XSS mediante el parámetro id en una acción wpdm_generate_password en wp-admin/admin-ajax.php. • https://security.dxw.com/advisories/xss-download-manager https://wordpress.org/plugins/download-manager/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2216 – WordPress Download Manager <= 2.9.49 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-2216
Cross-site scripting vulnerability in WordPress Download Manager prior to version 2.9.50 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de Cross-Site Scripting (XSS) en versiones anteriores a la 2.9.50 de WordPress Download Manager permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. The WordPress Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting parameter in versions up to, and including, 2.9.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://jvn.jp/en/jp/JVN79738260/index.html https://plugins.trac.wordpress.org/changeset/1650075 https://wordpress.org/plugins/download-manager/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •