prowo24

Hello,

If I deactivate Bootstrap CSS, the whole layout of the directory-page gets broken.

Kind regards,
Waldemar

Hello,

this is what I get from the security researcher:

I Mr. RAVI PRAJAPATI a white security researcher founded a Cross-site Scripting (XSS) vulnerability https://www.multitalent.ag
what is cross-site scripting?
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments.
Steps to reproduce
1. Using any browser (except IE), go to https://www.multitalent.ag/ru/?__wpdm_pdf_viewer=%3C/SCript%3E%3CsvG/onLoad=prompt(9)%3E
2. you will get pop of XSS
The proof of concept is attached below.
NOTE: https://www.multitalent.ag/ru/?__wpdm_pdf_viewer=%3C/SCript%3E%3CsvG/onLoad=prompt(9)%3E
the screenshot is attached to verify
for better understanding refer this reports :
https://hackerone.com/reports/292457
https://hackerone.com/reports/150568
https://hackerone.com/reports/474656
Impact of XSS :
1.Stealing cookies
2. The attacker can execute JS code.
3. The attacker can steal data

Kind regards,
Waldemar

Thank you!

If I open the package, the child category is not the active one, it’s the wrong one, where the package is also available.

The package is available in two child-categories of different parent-categories.

So if I open the package in the child-categories of parent-category B, the breadcums shows me the categories of parent-category A.

You can see this on https://www.multitalent.ag/service/aktuelle-angebote-dokumente/
(Font Awesome is deactivated on WPDM)

If Font Awesome is activated on WPDM, you can see that the icons on the homepage (https://www.multitalent.ag) aren’t working right.

Thank you!

Oh sorry, your’re right. My mistake.

I wrote in the false post.

My question was reffered to “https://www.wpdownloadmanager.com/support/topic/hide-everything-and-access-by-categories-is-not-working-well/”, Point 2
“2. The Widget “WPDM New Packages” doesn’t show any files for users (USER A) which have permissions to some categories and the files are for example older than the new ones (for which the loggedin user doesn’t have the permission). User B with other permissions can see the new files, for which he have the permissions. In this case USER A have to see the older files. USER B see also the new ones.”

Do you have something new for this? You wrote “However, found the issue that creating this situation. But the patch is rather lengthy. So, we will fix it in our next release.”

Kind regards,
Waldemar

You’re right. Thank you.

OK, thank you!