Vulnerabilities and security researches forzarinpal-paid-downloads zarinpal-paid-downloads

Jan 18, 2025

CVE, Research URL: CVE-2025-22766
Home page URL: Security reports for Zarinpal Paid Download
Application: Zarinpal Paid Download
Date: Jan 15, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Masoud Amini Zarinpal Paid Download zarinpal-paid-downloads allows Reflected XSS.This issue affects Zarinpal Paid Download: from n/a through <= 2.3.
Affected versions: max 2.3.
Status: vulnerable

Feb 02, 2025

CVE, Research URL: CVE-2024-13543
Home page URL: Security reports for Zarinpal Paid Download
Application: Zarinpal Paid Download
Date: Feb 11, 2025
Research Description: The Zarinpal Paid Download WordPress plugin through 2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Affected versions: max 2.3.
Status: vulnerable

Feb 13, 2025

CVE, Research URL: CVE-2024-13544
Home page URL: Security reports for Zarinpal Paid Download
Application: Zarinpal Paid Download
Date: Feb 11, 2025
Research Description: The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
Affected versions: max 2.3.
Status: vulnerable