[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3spWYhfPgWwXI__QAqrpM2paMBLObTcg9gjYez1S5nc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2383","simple-download-monitor-authenticated-contributor-stored-cross-site-scripting-via-custom-field","Simple Download Monitor \u003C= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field","The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","simple-download-monitor",null,"\u003C=4.0.5","4.0.6","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-26 19:24:24","2026-02-27 08:24:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F556e41d1-2c98-4175-87ba-29689704c2f0?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2383\n\n## 1. Vulnerability Summary\nThe **Simple Download Monitor** plugin for WordPress (versions \u003C= 4.0.5) contains a stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin fails to adequately sanitize and escape custom field data associated with \"Download\" items (Custom Post Type: `sdm_downloads`). Specifically, when a user with Contributor-level permissions or higher creates or edits a download, they can inject arbitrary JavaScript into a custom field. This script is then executed in the context of any user (including administrators) who views the download page or a page containing the download's shortcode.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fpost.php` (Standard WordPress post saving) or via the plugin's meta box update logic.\n- **Vulnerable Hook:** `save_post_sdm_downloads` (inferred) which triggers the saving of metadata.\n- **HTTP Parameter:** Likely `sdm_item_description` or a specific metadata field such as `sdm_other_details` or a dedicated custom field parameter (e.g., `sdm_custom_field_name`).\n- **Required Authentication:** Authenticated user with **Contributor** role or higher. Contributors can create and edit their own `sdm_downloads` posts.\n- **Preconditions:** The plugin must be active, and the attacker must have credentials for a Contributor-level account.\n\n## 3. Code Flow\n1.  **Input:** A Contributor submits a form to save or update an `sdm_downloads` post.\n2.  **Processing:** The plugin catches the save action, likely in `includes\u002Fadmin-side\u002Fsdm-admin-individual-item-meta-boxes.php` within a function named similarly to `sdm_save_download_meta_data`.\n3.  **Persistence:** The code calls `update_post_meta( $post_id, 'some_meta_key', $_POST['vulnerable_parameter'] )`. In version 4.0.5, this input is not passed through `sanitize_text_field` or `wp_kses`.\n4.  **Retrieval:** When a user visits the download page, the plugin retrieves the value using `get_post_meta( $post_id, 'some_meta_key', true )`.\n5.  **Sink:** The value is output directly in the template (likely in `includes\u002Fsdm-download-shortcodes.php` or `sdm-post-type-content-handler.php`) using `echo $meta_value;` without calling `esc_html`, `esc_attr`, or `wp_kses`.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability involves saving a standard WordPress Custom Post Type. WordPress handles CSRF protection for post saves using the `_wpnonce` field on the `post.php` page.\n\n**Strategy:**\n1.  **Create Contributor:** Use WP-CLI to create a contributor user.\n2.  **Log In:** Navigate to `wp-login.php` and authenticate.\n3.  **Navigate to Create:** Navigate to `wp-admin\u002Fpost-new.php?post_type=sdm_downloads`.\n4.  **Extract Nonce:** Use `browser_eval` to extract the `_wpnonce` from the form.\n    - `browser_eval(\"document.querySelector('#_wpnonce').value\")`\n5.  **Extract Post ID:** Extract the `post_ID` (if auto-drafted) or use the one provided in the form.\n\n## 5. Exploitation Strategy\nWe will use the Contributor account to inject a payload into the \"Other Details\" or \"Description\" field of a Download item.\n\n### Step-by-Step Plan:\n1.  **Setup Account:** Create a contributor user `attacker`.\n2.  **Initial Navigation:** Log in as `attacker` and go to the \"Add New Download\" page.\n3.  **Identify Field:** Search the page source for metadata fields. Based on plugin research, the vulnerable field is likely `sdm_item_description` (if it uses a textarea without KSES) or a custom field like `sdm_external_thumbnail_url` if used in an `src` attribute.\n    - *Note:* If the vulnerability is \"via Custom Field,\" look for a field labeled \"Other Details\" or a repeating custom field section.\n4.  **Payload Injection:**\n    - **Target URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n    - **Method:** `POST`\n    - **Payload:** `{\"action\": \"editpost\", \"post_ID\": \"[ID]\", \"_wpnonce\": \"[NONCE]\", \"sdm_item_description\": \"\u003Cscript>alert('XSS_SUCCESS')\u003C\u002Fscript>\", \"post_title\": \"Malicious Download\", \"post_type\": \"sdm_downloads\"}`\n    - **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n5.  **Triggering:** Navigate to the public URL of the created download or create a page with the shortcode `[sdm_download id=\"[ID]\" fancy=\"1\"]`.\n6.  **Admin Verification:** Log in as an Administrator and view the page to confirm the script executes in the Admin's session.\n\n## 6. Test Data Setup\n1.  **User:** `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n2.  **Plugin Setup:** Ensure \"Simple Download Monitor\" is installed and active.\n3.  **Shortcode Page:** Create a public page to view the payload if the direct CPT link is restricted.\n    - `wp post create --post_type=page --post_status=publish --post_title=\"Download View\" --post_content='[sdm_download id=\"REPLACE_WITH_ID\"]'`\n\n## 7. Expected Results\n- The `update_post_meta` call will store the raw `\u003Cscript>` tag in the `wp_postmeta` table.\n- When the download page or shortcode is rendered, the HTML source will contain the raw script: `\u003Cdiv class=\"sdm_download_description\">\u003Cscript>alert('XSS_SUCCESS')\u003C\u002Fscript>\u003C\u002Fdiv>`.\n- A browser alert box appearing with `XSS_SUCCESS` when the page is viewed.\n\n## 8. Verification Steps\n1.  **Database Check:** Use WP-CLI to verify the content of the meta field.\n    - `wp post meta get [POST_ID] sdm_item_description`\n    - Confirm it contains the unescaped `\u003Cscript>` tag.\n2.  **Frontend Inspection:** Use `http_request` to fetch the public page and grep for the payload.\n    - `response.body` should contain `\u003Cscript>alert('XSS_SUCCESS')\u003C\u002Fscript>`.\n\n## 9. Alternative Approaches\n- **External Thumbnail URL:** If `sdm_item_description` is sanitized in some versions, check `sdm_external_thumbnail_url`. If it is echoed into an `\u003Cimg> src` or a `value` attribute without `esc_attr`, use: `\" onerror=\"alert(1)`.\n- **Shortcode Attributes:** Test if a Contributor can use the `[sdm_download]` shortcode in a post and if the plugin fails to escape attributes like `button_text`.\n    - Payload: `[sdm_download id=\"1\" button_text='\u003Cscript>alert(1)\u003C\u002Fscript>']`\n- **AJAX Endpoint:** Check if the plugin uses a specific AJAX handler for saving downloads (e.g., `wp_ajax_sdm_save_download`) which might lack nonce\u002Fcapability checks.","The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom fields in the 'sdm_downloads' post type. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into fields such as the download description, which then executes when any user, including administrators, views the affected download page or a shortcode displaying it.","\u002F\u002F includes\u002Fadmin-side\u002Fsdm-admin-individual-item-meta-boxes.php (approximate saving logic)\nif (isset($_POST['sdm_item_description'])) {\n    \u002F\u002F No sanitization before saving metadata\n    update_post_meta($post_id, 'sdm_item_description', $_POST['sdm_item_description']);\n}\n\n---\n\n\u002F\u002F includes\u002Fsdm-download-shortcodes.php (approximate rendering logic)\n$description = get_post_meta($post_id, 'sdm_item_description', true);\n\u002F\u002F No output escaping before echoing to the page\necho '\u003Cdiv class=\"sdm_download_description\">' . $description . '\u003C\u002Fdiv>';","--- a\u002Fincludes\u002Fadmin-side\u002Fsdm-admin-individual-item-meta-boxes.php\n+++ b\u002Fincludes\u002Fadmin-side\u002Fsdm-admin-individual-item-meta-boxes.php\n@@ -10,1 +10,1 @@\n-update_post_meta($post_id, 'sdm_item_description', $_POST['sdm_item_description']);\n+update_post_meta($post_id, 'sdm_item_description', wp_kses_post($_POST['sdm_item_description']));\n\n--- a\u002Fincludes\u002Fsdm-download-shortcodes.php\n+++ b\u002Fincludes\u002Fsdm-download-shortcodes.php\n@@ -20,1 +20,1 @@\n-echo '\u003Cdiv class=\"sdm_download_description\">' . $description . '\u003C\u002Fdiv>';\n+echo '\u003Cdiv class=\"sdm_download_description\">' . wp_kses_post($description) . '\u003C\u002Fdiv>';","To exploit this vulnerability, an attacker requires a WordPress account with at least Contributor permissions. The attacker navigates to the 'Downloads' section and creates a new download item. In the description field (or any custom metadata field provided by the plugin), they inject a script payload such as \u003Cscript>alert(1)\u003C\u002Fscript>. Upon saving the post, the plugin stores the raw script in the database without sanitization. The XSS is triggered when any user visits the public permalink for that download or views a page where the download is rendered via a shortcode (e.g., [sdm_download id=\"123\"]), as the plugin outputs the stored metadata without appropriate escaping.","gemini-3-flash-preview","2026-04-18 23:01:49","2026-04-18 23:03:28",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.0.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-download-monitor\u002Ftags\u002F4.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-download-monitor.4.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-download-monitor\u002Ftags\u002F4.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-download-monitor.4.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsimple-download-monitor\u002Ftags"]