Headline
CVE-2022-25605: WP-DownloadManager
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.
- Details
- Reviews
- Support
- Development
General Usage
- You Need To Re-Generate The Permalink
WP-Admin -> Settings -> Permalinks -> Save Changes
- To embed a specific file to be downloaded into a post/page, use
[download id="2"]
where 2 is your file id. - To embed multiple files to be downloaded into a post/page, use
[download id="1,2,3"]
where 1,2,3 are your file ids. - To limit the number of embedded downloads shown for each post in a post stream, use the
stream_limit
option.- Example:
[download id="2" stream_limit="4"]
- This will only display the first 4 downloads for the post when rendered in a post stream, and display the full list of downloads when viewing the single post.
- Example:
- To sort embedded downloads, use the
sort_by
andsort_order
options.- Example:
[download id="2" sort_by="file_id" sort_order="asc"]
- This will sort the embedded downloads by file ID in ascending order.
- Valid values for
sort_by
are:file_id
,file
,file_name
,file_size
,file_date
, andfile_hits
- Example:
- To choose what to display within the embedded file, use
[download id="1" display="both"]
where 1 is your file id and both will display both the file name and file desccription, whereas name will only display the filename. Note that this will overwrite the “Download Embedded File” template you have in your Download Templates. - To embed files as well as categories, use
[download id="1,2,3" category="4,5,6"]
where 1,2,3 are your file id and 4,5,6 are your category ids. - If you are using Default Permalinks, the file direct download link will be
http://yoursite.com/index.php?dl_id=2
. If you are using Nice Permalinks, the file direct download link will behttp://yoursite.com/download/2/
, where yoursite.com is your WordPress URL and 2 is your file id. - The direct download category link will be
http://yoursite.com/downloads/?dl_cat=3
, where yoursite.com is your WordPress URL, downloads is your Downloads Page name and 3 is your download category id. - In order to upload the files straight to the downloads folder, the folder must be first CHMOD to 777. You can specify which folder to be the downloads folder in Download Options.
- You can configure the Download Options in
WP-Admin -> Downloads -> Download Options
- You can configure the Download Templates in
WP-Admin -> Downloads -> Download Templates
Downloads Page
- Go to
WP-Admin -> Pages -> Add New
- Type any title you like in the post’s title area
- If you
ARE
using nice permalinks, after typing the title, WordPress will generate the permalink to the page. You will see an ‘Edit’ link just beside the permalink. - Click ‘Edit’ and type in
downloads
in the text field and click ‘Save’. - Type
[page_download]
in the post’s content area. - You can also use
[page_download category="1"]
, this will display all downloads in Category ID 1. - Click ‘Publish’
Download Stats (With Widgets)
- Go to
WP-Admin -> Appearance -> Widgets
- The widget name is
Downloads
.
Build Status****Development
- https://github.com/lesterchan/wp-downloadmanager
Translations
- http://dev.wp-plugins.org/browser/wp-downloadmanager/i18n/
Credits
- Plugin icon by Freepik from Flaticon
- Icons courtesy of FamFamFam
- Download Icon by Ryan Zimmerman
Donations
- I spent most of my free time creating, updating, maintaining and supporting these plugins, if you really love my plugins and could spare me a couple of bucks, I will really appreciate it. If not feel free to use it without any obligations.
To Display Most Downloaded
<?php if (function_exists('get_most_downloaded')): ?>
<?php get_most_downloaded(); ?>
<?php endif; ?>
- The first value you pass in is the maximum number of files you want to get.
- Default:
get_most_downloaded(10);
To Display Recent Downloads
<?php if (function_exists('get_recent_downloads')): ?>
<?php get_recent_downloads(); ?>
<?php endif; ?>
- The first value you pass in is the maximum number of files you want to get.
- Default:
get_recent_downloads(10);
To Display Downloads By Category
<?php if (function_exists('get_downloads_category')): ?>
<?php get_downloads_category(1); ?>
<?php endif; ?>
- The first value you pass in is the category id.
- The second value you pass in is the maximum number of files you want to get.
Default: get_downloads_category(1, 10);
I change my rating because it refers to another plugin.
NOT ONLY THAT THEY DID NOT REFUND THE MONEY THAT THEY WERE LEGALLY OBLIGATED TO DO DURING 14DAYS PERIOD AFTER PURCHASING, AFTER THEIR PLUGINS HAD PROBLEMS TO FUNCTION, THEY asked for logins to fix it and they messed the whole website up. Will never do business again with them they just take your money and run away, Plugins are coded by idiots, it’s impossible to combine it to modern plugins or themes, they keep telling you to buy more plugins to make it work as it should. Seriously stay away from them.
there is not support. After a month still waiting for support.
Lightweight plugin that does exactly what it says. Shortcodes and Templates are very customisable. Remember to create a folder and upload your files via FTP first, then update Permalinks. After that works perfectly.
Excellent This is the lightest and most efficient download plugin Be sure to use this plugin
能加一个下载统计日志吗? 统计下载的用户,IP,国籍,地区,之类的 还有,没有权限的,点击提示无权下载,这个可不可以自定义一下,改成Elementor弹窗模板,支持Elementor编辑器
Read all 34 reviews
“WP-DownloadManager” is open source software. The following people have contributed to this plugin.
Contributors
- Lester Chan
Version 1.68.8
- FIXED: Download Categories not parsing properly.
Version 1.68.7
- FIXED: esc_attr()
Version 1.68.6
- NEW: Add filter wp_downloadmanager_file_extension_image and wp_downloadmanager_file_extension_images_path
- FIXED: XSS in download-manager.php. Props to Ngo Van Thien and Patchstack.
Version 1.68.5
- FIXED: Validation of remote file to prevent Server Side Request Forgery (SSRF) as reported by WordPress Plugin Review Team
Version 1.68.4
- NEW: Bump WordPress 5.4
- FIXED: Unix timestamp sorting order
Version 1.68.3
- NEW: Bump WordPress 5.3
Version 1.68.2
- NEW: WordPress 4.7
- FIXED: Pagination not working
- FIXED: Remove eregi
- FIXED: Remote file URL will get be broken, if the remote file URL gets really ugly
Version 1.68.1
- NEW: Uses wp_kses_post() for better field sanitization
Version 1.68
- NEW: Use translate.wordpress.org to translate the plugin
- FIXED: Some WP doesn’t have wp_user_level because it has been deprecated
Version 1.67
- FIXED: Notices
Version 1.66
- FIXED: Notices in Widget Constructor for WordPress 4.3
Version 1.65
- FIXED: Integration with WP-Stats
Version 1.64
- NEW: Supports WordPress MultiSite Network Activate
- NEW: Uses native WordPress uninstall.php
- FIXED: Notices
Version 1.63
- NEW: Added %FILE_EXT% template variable that output the file extension
- FIXED: Editor button was outputting the wrong shortcode.
- FIXED: ReferenceError: downloadssEdL10n is not defined if TinyMCE 4.0 is loaded outside the Add/Edit Posts/Pages.
- FIXED: Added backward compatibility with [download=1] in order not to break older downloads.
Version 1.62
- NEW: Uses Dash Icons
- NEW: Supports TinyMCE 4.0 For WordPress 3.9
- NEW: Added sorting to embedded downloads. Props ksze.
- NEW: You can now choose to display file sizes in either binary base or decimal base (i.e. KiB vs KB), using either
%FILE_SIZE
or%FILE_SIZE_DEC
;%CATEGORY_SIZE
and%TOTAL_SIZE
also have their_DEC
counterparts… Props ksze.
Version 1.61
- FIXED: Added nonce to Options. Credits to Charlie Eriksen via Secunia SVCRP.
Version 1.60 (08-11-2010)
- NEW: Display File ID In Message After Adding A File
- FIXED: Bug In Remote File With Using Nice Permalink and File Name