Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-25605: WP-DownloadManager

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.

CVE
#xss#vulnerability#web#git
  • Details
  • Reviews
  • Support
  • Development

General Usage

  1. You Need To Re-Generate The Permalink WP-Admin -> Settings -> Permalinks -> Save Changes
  2. To embed a specific file to be downloaded into a post/page, use [download id="2"] where 2 is your file id.
  3. To embed multiple files to be downloaded into a post/page, use [download id="1,2,3"] where 1,2,3 are your file ids.
  4. To limit the number of embedded downloads shown for each post in a post stream, use the stream_limit option.
    1. Example: [download id="2" stream_limit="4"]
    2. This will only display the first 4 downloads for the post when rendered in a post stream, and display the full list of downloads when viewing the single post.
  5. To sort embedded downloads, use the sort_by and sort_order options.
    1. Example: [download id="2" sort_by="file_id" sort_order="asc"]
    2. This will sort the embedded downloads by file ID in ascending order.
    3. Valid values for sort_by are: file_id, file, file_name, file_size, file_date, and file_hits
  6. To choose what to display within the embedded file, use [download id="1" display="both"] where 1 is your file id and both will display both the file name and file desccription, whereas name will only display the filename. Note that this will overwrite the “Download Embedded File” template you have in your Download Templates.
  7. To embed files as well as categories, use [download id="1,2,3" category="4,5,6"] where 1,2,3 are your file id and 4,5,6 are your category ids.
  8. If you are using Default Permalinks, the file direct download link will be http://yoursite.com/index.php?dl_id=2. If you are using Nice Permalinks, the file direct download link will be http://yoursite.com/download/2/, where yoursite.com is your WordPress URL and 2 is your file id.
  9. The direct download category link will be http://yoursite.com/downloads/?dl_cat=3, where yoursite.com is your WordPress URL, downloads is your Downloads Page name and 3 is your download category id.
  10. In order to upload the files straight to the downloads folder, the folder must be first CHMOD to 777. You can specify which folder to be the downloads folder in Download Options.
  11. You can configure the Download Options in WP-Admin -> Downloads -> Download Options
  12. You can configure the Download Templates in WP-Admin -> Downloads -> Download Templates

Downloads Page

  1. Go to WP-Admin -> Pages -> Add New
  2. Type any title you like in the post’s title area
  3. If you ARE using nice permalinks, after typing the title, WordPress will generate the permalink to the page. You will see an ‘Edit’ link just beside the permalink.
  4. Click ‘Edit’ and type in downloads in the text field and click ‘Save’.
  5. Type [page_download] in the post’s content area.
  6. You can also use [page_download category="1"], this will display all downloads in Category ID 1.
  7. Click ‘Publish’

Download Stats (With Widgets)

  1. Go to WP-Admin -> Appearance -> Widgets
  2. The widget name is Downloads.

Build Status****Development

  • https://github.com/lesterchan/wp-downloadmanager

Translations

  • http://dev.wp-plugins.org/browser/wp-downloadmanager/i18n/

Credits

  • Plugin icon by Freepik from Flaticon
  • Icons courtesy of FamFamFam
  • Download Icon by Ryan Zimmerman

Donations

  • I spent most of my free time creating, updating, maintaining and supporting these plugins, if you really love my plugins and could spare me a couple of bucks, I will really appreciate it. If not feel free to use it without any obligations.

To Display Most Downloaded

<?php if (function_exists('get_most_downloaded')): ?>
    <?php get_most_downloaded(); ?>
<?php endif; ?>
  • The first value you pass in is the maximum number of files you want to get.
  • Default: get_most_downloaded(10);

To Display Recent Downloads

<?php if (function_exists('get_recent_downloads')): ?>
    <?php get_recent_downloads(); ?>
<?php endif; ?>
  • The first value you pass in is the maximum number of files you want to get.
  • Default: get_recent_downloads(10);

To Display Downloads By Category

<?php if (function_exists('get_downloads_category')): ?>
    <?php get_downloads_category(1); ?>
<?php endif; ?>
  • The first value you pass in is the category id.
  • The second value you pass in is the maximum number of files you want to get.

Default: get_downloads_category(1, 10);

I change my rating because it refers to another plugin.

NOT ONLY THAT THEY DID NOT REFUND THE MONEY THAT THEY WERE LEGALLY OBLIGATED TO DO DURING 14DAYS PERIOD AFTER PURCHASING, AFTER THEIR PLUGINS HAD PROBLEMS TO FUNCTION, THEY asked for logins to fix it and they messed the whole website up. Will never do business again with them they just take your money and run away, Plugins are coded by idiots, it’s impossible to combine it to modern plugins or themes, they keep telling you to buy more plugins to make it work as it should. Seriously stay away from them.

there is not support. After a month still waiting for support.

Lightweight plugin that does exactly what it says. Shortcodes and Templates are very customisable. Remember to create a folder and upload your files via FTP first, then update Permalinks. After that works perfectly.

Excellent This is the lightest and most efficient download plugin Be sure to use this plugin

能加一个下载统计日志吗? 统计下载的用户,IP,国籍,地区,之类的 还有,没有权限的,点击提示无权下载,这个可不可以自定义一下,改成Elementor弹窗模板,支持Elementor编辑器

Read all 34 reviews

“WP-DownloadManager” is open source software. The following people have contributed to this plugin.

Contributors

  • Lester Chan

Version 1.68.8

  • FIXED: Download Categories not parsing properly.

Version 1.68.7

  • FIXED: esc_attr()

Version 1.68.6

  • NEW: Add filter wp_downloadmanager_file_extension_image and wp_downloadmanager_file_extension_images_path
  • FIXED: XSS in download-manager.php. Props to Ngo Van Thien and Patchstack.

Version 1.68.5

  • FIXED: Validation of remote file to prevent Server Side Request Forgery (SSRF) as reported by WordPress Plugin Review Team

Version 1.68.4

  • NEW: Bump WordPress 5.4
  • FIXED: Unix timestamp sorting order

Version 1.68.3

  • NEW: Bump WordPress 5.3

Version 1.68.2

  • NEW: WordPress 4.7
  • FIXED: Pagination not working
  • FIXED: Remove eregi
  • FIXED: Remote file URL will get be broken, if the remote file URL gets really ugly

Version 1.68.1

  • NEW: Uses wp_kses_post() for better field sanitization

Version 1.68

  • NEW: Use translate.wordpress.org to translate the plugin
  • FIXED: Some WP doesn’t have wp_user_level because it has been deprecated

Version 1.67

  • FIXED: Notices

Version 1.66

  • FIXED: Notices in Widget Constructor for WordPress 4.3

Version 1.65

  • FIXED: Integration with WP-Stats

Version 1.64

  • NEW: Supports WordPress MultiSite Network Activate
  • NEW: Uses native WordPress uninstall.php
  • FIXED: Notices

Version 1.63

  • NEW: Added %FILE_EXT% template variable that output the file extension
  • FIXED: Editor button was outputting the wrong shortcode.
  • FIXED: ReferenceError: downloadssEdL10n is not defined if TinyMCE 4.0 is loaded outside the Add/Edit Posts/Pages.
  • FIXED: Added backward compatibility with [download=1] in order not to break older downloads.

Version 1.62

  • NEW: Uses Dash Icons
  • NEW: Supports TinyMCE 4.0 For WordPress 3.9
  • NEW: Added sorting to embedded downloads. Props ksze.
  • NEW: You can now choose to display file sizes in either binary base or decimal base (i.e. KiB vs KB), using either %FILE_SIZE or %FILE_SIZE_DEC; %CATEGORY_SIZE and %TOTAL_SIZE also have their _DEC counterparts… Props ksze.

Version 1.61

  • FIXED: Added nonce to Options. Credits to Charlie Eriksen via Secunia SVCRP.

Version 1.60 (08-11-2010)

  • NEW: Display File ID In Message After Adding A File
  • FIXED: Bug In Remote File With Using Nice Permalink and File Name

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907