Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires victim page view (UI:R); contributor auth required (PR:L); scope change affects victim browser session (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because wp_kses_post filters post content on save for users without unfiltered_html, only kses-allowed tag and attribute payloads that survive save-time filtering will reach the unescaped sink; however, the sink itself remains unsafe and such payloads can still execute in the browser when a user renders the shortcode.
AnalysisAI
Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.61) allows authenticated contributors to inject persistent JavaScript payloads via the 'note_before' and 'note_after' shortcode attributes. The root cause is an unescaped output sink in the shortcode renderer: although wp_kses_post filters post content on save for users lacking the unfiltered_html capability, kses-allowed tag and attribute combinations that survive filtering are passed directly to the unsafe sink and execute in victims' browsers when the injected page is rendered. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an attacker to hold a WordPress contributor role or higher on the target site - anonymous or subscriber-level users cannot inject shortcode attributes in post content. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.4 (Medium) reflects network-reachable, low-privilege exploitation with a changed scope affecting other users' browser sessions (C:L/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a contributor-level WordPress account edits or creates a post embedding a Download Manager shortcode with a crafted value in the 'note_before' or 'note_after' attribute - using HTML constructs permitted by wp_kses_post (such as an image tag with an event attribute that survives kses filtering) to carry a JavaScript payload. When any site visitor or administrator loads the affected page, the unsanitized sink in reg-form.php renders the payload, executing the attacker's JavaScript in the victim's browser context and enabling session token theft, credential harvesting, or unauthorized admin actions. … |
| Remediation | Update the Download Manager plugin to the version released after changeset 3594267 in the WordPress plugin repository - the exact patched release version is not confirmed in the available input data, so verify the current version in the WordPress.org plugin directory before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Download Manager
View allAn issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receivin
The basic_settings function in the download manager plugin for WordPress before 2.7.3 allows remote authenticated users
The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.
Unauth. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low at
SQL injection vulnerability in download.php in phux Download Manager allows remote attackers to execute arbitrary SQL co
The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowin
The Download Manager WordPress plugin before 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PH
The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a downlo
The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and
The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files.
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42522
GHSA-v367-5mw9-22gq