cleantalk
Vulnerabilities and Security Researches

Simple Download Counter, CVE-2023-4838

CVE, Research URL

CVE-2023-4838

Home page URL

Security reports for Simple Download Counter

Application

Simple Download Counter

Published on
Sep 09, 2023
Research Description
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'before' and 'after'. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 1.6.1.
Status
vulnerable
Previous vulnerability researches
Simple Download Counter (CVE-2025-46240) , Apr 24, 2025
Simple Download Counter (CVE-2023-4838) , Jun 06, 2024
Simple Download Counter (CVE-2025-1730) , Mar 04, 2025
New vulnerability
WS Form LITE – Drag & Drop Contact Form Builder for WordPress (CVE-2025-3912) , Apr 28, 2025
Upsell Order Bump Offer for WooCommerce – Increase Sales and AOV, Upsell & Cross-sell Offers on Checkout Page (CVE-2025-3743) , Apr 28, 2025
ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes (CVE-2025-3280) , Apr 28, 2025
FuseDesk (CVE-2025-3832) , Apr 27, 2025
Create custom forms for WordPress with a smart form plugin for smart businesses – Form builder for WordPress (CVE-2025-2801) , Apr 27, 2025