CVE-2022-2168 Scanner

WordPress Download Manager is a popular plugin that allows site administrators to manage and track digital file downloads. It is used extensively across educational, commercial, and personal websites for distributing files such as PDFs, ZIP archives, and software packages. With built-in access controls, analytics, and download logs, the plugin enhances file management workflows within the WordPress ecosystem. Administrators rely on it to track user engagement and monitor download activity. The plugin integrates into the WordPress admin panel, offering a detailed stats dashboard. This integration can become a vector for attacks when user input is not properly validated.

This scanner detects a Cross-Site Scripting (XSS) vulnerability in WordPress Download Manager versions before 3.2.44. The vulnerability arises from improper sanitization of the `user_ids` parameter within the plugin’s stats history dashboard. Authenticated attackers can exploit this flaw to inject and execute JavaScript code in the context of other users accessing the same page. The vulnerability is classified as reflected XSS and affects the admin interface, which increases its impact when used against users with elevated permissions. Due to the need for authentication, the severity is medium, but the risk is still notable for shared admin environments.

Exploitation of the vulnerability is achieved by sending a crafted request to the plugin's admin endpoint. Specifically, the `user_ids[]` parameter in the stats history URL is manipulated to contain a malicious script payload. The scanner replicates this by authenticating with valid credentials and then issuing a GET request with the payload. Successful exploitation is confirmed when the response body includes the injected script and other indicators like “No downloads found.” The script would execute in a real browser environment if another admin user accesses the compromised page, enabling session hijacking or further privilege abuse.

Attackers exploiting this vulnerability could gain access to sensitive admin-level sessions, exfiltrate data, or carry out further injection attacks. In shared administrative environments, a single compromised account could be leveraged to affect multiple users or alter site configurations. While the attack requires authentication, the ease of injection and the exposure of unescaped parameters make it a viable threat. It highlights the need for consistent input validation and encoding practices, particularly in high-privilege areas of WordPress plugins.

REFERENCES

• https://wpscan.com/vulnerability/66789b32-049e-4440-8b19-658649851010/
• https://nvd.nist.gov/vuln/detail/CVE-2022-2168