Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files and other assets in a page or post. This function was found to be vulnerable to reflected Cross-Site Scripting. Without proper sanitization and escaping in place on user-supplied inputs, JavaScript can be used to manipulate the page. Even an unsophisticated attacker could hijack the form and use it to trick a site administrator into unknowingly disclosing sensitive information, or to collect cookie values. It is recommended that you update your sites immediately. In order to avoid web site crashes and to assure timely security updates it is best to use our WordPress Maintenance Service.
WordPress Download Manager plugin <= 3.2.42 – Reflected Cross-Site Scripting (XSS) vulnerability
Plugin slug: download-manager
Update to version: 3.2.43
Reflected Cross-Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Yeraisci) in WordPress Download Manager plugin (versions <= 3.2.42). Update the WordPress Download Manager plugin to the latest available version (at least 3.2.43). The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. This is due to insufficient input sanitization and output escaping on the ‘frameid’ parameter found in the shortcode-iframe.php file.
Read more about this bug: external link here and here.