Get started today. Now with 10-16% off!

Cross-Site Scripting Vulnerability in Download Manager Plugin <= 3.2.42

Jun 7, 2022

Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files and other assets in a page or post. This function was found to be vulnerable to reflected Cross-Site Scripting. Without proper sanitization and escaping in place on user-supplied inputs, JavaScript can be used to manipulate the page. Even an unsophisticated attacker could hijack the form and use it to trick a site administrator into unknowingly disclosing sensitive information, or to collect cookie values. It is recommended that you update your sites immediately. In order to avoid web site crashes and to assure timely security updates it is best to use our WordPress Maintenance Service.

WordPress Download Manager plugin <= 3.2.42 – Reflected Cross-Site Scripting (XSS) vulnerability

Plugin slug: download-manager
Update to version: 3.2.43

Reflected Cross-Site Scripting (XSS) vulnerability discovered by Rafie Muhammad (Yeraisci) in WordPress Download Manager plugin (versions <= 3.2.42). Update the WordPress Download Manager plugin to the latest available version (at least 3.2.43). The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. This is due to insufficient input sanitization and output escaping on the ‘frameid’ parameter found in the shortcode-iframe.php file.

Read more about this bug: external link here and here.


Standard Plan

$6999USD/m NOW $58/m89/m
billed yearly or $99 $89 month-by-monthmonthly and $149 set-up fee

WordPress Maintenance and Security Updates

We will update your WordPress core, plugins and themes constantly plus you will get 20 more security features.

Save $360/yearly (30%)
and avoid $149 set-up fee!

Save additional 1610% NOW!

Pay $699 yearly ($58/month)Pay $238 now, $89 monthly afterwards

Available for websites with themes and plugins from WordPress.org repository only.

Ready to Join?

Pay $699 yearly ($58/month)
(upgrade to the PRO PLAN at any time)