What is the CVSS score of EUVD-2026-20253?

EUVD-2026-20253 has a CVSS 3.1 base score of 5.9 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. EPSS exploitation probability: 0.0%.

Download Manager EUVD-2026-20253

Q: Which versions of Download Manager are affected by EUVD-2026-20253?

Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers.

| CVE-2026-39615 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-08 Patchstack

GHSA-rg5f-p7fv-c42m

XSS Download Manager

5.9

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.9 MEDIUM

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Apr 08, 2026 - 08:45 euvd

EUVD-2026-20253

Analysis Generated

Apr 08, 2026 - 08:45 vuln.today

CVE Published

Apr 08, 2026 - 08:30 nvd

MEDIUM 5.9

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Download Manager download-manager allows Stored XSS.This issue affects Download Manager: from n/a through <= 3.3.53.

AnalysisAI

Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (UI:R) and high administrative privileges (PR:H), limiting real-world attack surface; EPSS exploitation probability is exceptionally low at 0.03% (8th percentile), indicating minimal practical risk despite the stored nature of the vulnerability.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a constrained real-world risk despite the stored XSS classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An administrator account (compromised via credential theft, malware, or insider threat) logs into WordPress and uploads a malicious file or modifies file metadata within the Download Manager plugin, injecting stored JavaScript that executes when site visitors view the download page or file listing. The injected script could steal session cookies, perform actions on behalf of visitors, or redirect users to phishing pages. …
Remediation	Update Shahjada Download Manager to a version newer than 3.3.53 immediately; consult the official Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-3-51-cross-site-scripting-xss-vulnerability?_s_id=cve for patch availability and exact version details. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-20253 vulnerability details – vuln.today

Back