WordPress WP-DownloadManager plugin <= 1.68.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
CVE-2022-25605

4.8MEDIUM

Key Information:

Vendor: WordPress
Status: WP-downloadmanager (WordPress)
Vendor: CVE Published:; 18 March 2022

What is CVE-2022-25605?

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.

Affected Version(s)

WP-DownloadManager (WordPress) <= 1.68.6 <= 1.68.6

References

https://wordpress.org/plugins/wp-downloadmanager/#developers

x_refsource_CONFIRM

https://patchstack.com/database/vulnerability/wp-download...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2022
Vulnerability Reserved
Feb 21, 2022

Credit

Vulnerability discovered by Ex.Mi (Patchstack).