Cross-Site Scripting Vulnerability In Download Manager Plugin

WordFence - 

On May 30, 2022, Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability to us that they discovered in Download Manager, a WordPress plugin installed on over 100,000 sites. On request, we assigned a vulnerability identifier of CVE-2022-1985.

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting protection.

Even though Wordfence provides protection against this vulnerability, we strongly recommend ensuring that your site has been updated to the latest patched version of Download Manager, which is version 3.2.43 at the time of this publication.

Description: Reflected Cross-Site Scripting
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: codename065
Affected Versions: <= 3.2.42
CVE ID: CVE-2022-1985
CVSS Score: 6.1 (Medium)
Researcher/s: Rafie Muhammad (Yeraisci)
Fully Patched Version: 3.2.43

Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files

Read More: