WordPress WP-DownloadManager plugin <= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
CVE-2022-25606

4.8MEDIUM

Key Information:

Vendor: WordPress
Status: WP-downloadmanager (WordPress)
Vendor: CVE Published:; 25 March 2022

What is CVE-2022-25606?

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories.

Affected Version(s)

WP-DownloadManager (WordPress) <= 1.68.5 <= 1.68.5

References

https://wordpress.org/plugins/wp-downloadmanager/#developers

x_refsource_CONFIRM

https://patchstack.com/database/vulnerability/wp-download...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2022
Vulnerability Reserved
Feb 21, 2022

Credit

Vulnerability discovered by Ex.Mi (Patchstack).