CVE-2024-47341

Vulnerability

Overview

The WP-DownloadManager plugin for WordPress, versions from n/a through 1.68.8, contains a reflected cross-site scripting (XSS) vulnerability [1]. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript code into the response [1].

Attack

Vector

An attacker can exploit this flaw by crafting a malicious link or URL that, when visited by a victim (e.g., an authenticated administrator), causes the injected script to execute in the victim's browser within the context of the WordPress admin interface [1]. User interaction is required—the victim must click on the crafted link or visit a specially prepared page [1]. No special privileges are needed for the attacker beyond the ability to craft a URL, but successful exploitation depends on a user with administrative or other roles performing that action [1].

Impact

If successfully exploited, the attacker can inject malicious scripts such as redirects, advertisements, or other HTML payloads into the site [1]. This could lead to session hijacking, defacement, or theft of sensitive information when visitors access the compromised page [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vulnerability is fixed in version 1.68.9 of the plugin [1]. Users are strongly advised to update immediately. If an update is not possible, a mitigation rule from security vendors like Patchstack can block attacks until the patch is applied [1].