# Exploit Title: Wordpress Plugin: Wordpress Download Manager Free & Pro
Persistent Cross Site Scripting
# Google Dork:
# Date: 12-06-2013
# Exploit Author: IT Nerdbox
# Vendor Homepage: http://www.wpdownloadmanager.com # Software Link:
http://downloads.wordpress.org/plugin/download-manager.zip
# Version: v3.3.8
# Tested on: Wordpress 3.7.1 on Linux CentOS # CVE : N/A
When creating a new download package you need to enter a title, description
and the file(s) that you want to be available for download. The title input
field is not sanitized and therefor vulnerable to persistent cross site
scripting. The payload used is <input onmouseover=prompt(document.cookie)>
More information, including screenshots, can be found at:
http://www.nerdbox.it/wordpress-download-manager-xss/