Simple Downloads List Missing Capability Check Vulnerability Allowing Cross-Site Scripting
Vulnerability
A vulnerability in the Simple Downloads List WordPress plugin, present in versions through 1.4.3, allows authenticated users with Subscriber-level access and above to modify plugin settings and downloads. This issue arises from a lack of proper capability checks on several AJAX endpoints, including 'wp_ajax_neofix_sdl_edit', enabling the injection of malicious web scripts.
Impact
Exploitation of this vulnerability could lead to stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the 'wp_ajax_neofix_sdl_edit' AJAX endpoint. The request can include parameters to modify download details or plugin settings, such as the download name, description, category, and download link. This can be done through the WordPress admin interface or by using a tool that facilitates AJAX requests, such as Postman.
Remediation
Users are advised to update the Simple Downloads List plugin to version 1.5.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.