Skip to main content

Download Manager EUVDEUVD-2026-42522

| CVE-2026-14343 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-v367-5mw9-22gq
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires victim page view (UI:R); contributor auth required (PR:L); scope change affects victim browser session (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:44 vuln.today
CVE Published
Jul 09, 2026 - 06:52 nvd
MEDIUM 6.4

DescriptionCVE.org

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because wp_kses_post filters post content on save for users without unfiltered_html, only kses-allowed tag and attribute payloads that survive save-time filtering will reach the unescaped sink; however, the sink itself remains unsafe and such payloads can still execute in the browser when a user renders the shortcode.

AnalysisAI

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.61) allows authenticated contributors to inject persistent JavaScript payloads via the 'note_before' and 'note_after' shortcode attributes. The root cause is an unescaped output sink in the shortcode renderer: although wp_kses_post filters post content on save for users lacking the unfiltered_html capability, kses-allowed tag and attribute combinations that survive filtering are passed directly to the unsafe sink and execute in victims' browsers when the injected page is rendered. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress contributor
Delivery
Embed malicious shortcode attribute in post
Exploit
Payload survives wp_kses_post save filter
Execution
Victim user loads injected page
Persist
Unescaped sink renders payload in browser
Impact
Attacker JavaScript executes in victim session

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker to hold a WordPress contributor role or higher on the target site - anonymous or subscriber-level users cannot inject shortcode attributes in post content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.4 (Medium) reflects network-reachable, low-privilege exploitation with a changed scope affecting other users' browser sessions (C:L/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a contributor-level WordPress account edits or creates a post embedding a Download Manager shortcode with a crafted value in the 'note_before' or 'note_after' attribute - using HTML constructs permitted by wp_kses_post (such as an image tag with an event attribute that survives kses filtering) to carry a JavaScript payload. When any site visitor or administrator loads the affected page, the unsanitized sink in reg-form.php renders the payload, executing the attacker's JavaScript in the victim's browser context and enabling session token theft, credential harvesting, or unauthorized admin actions. …
Remediation Update the Download Manager plugin to the version released after changeset 3594267 in the WordPress plugin repository - the exact patched release version is not confirmed in the available input data, so verify the current version in the WordPress.org plugin directory before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2023-6421 HIGH POC
7.5 Jan 01

The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receivin

CVE-2014-9260 HIGH POC
8.8 Aug 07

The basic_settings function in the download manager plugin for WordPress before 2.7.3 allows remote authenticated users

CVE-2022-2431 HIGH POC
8.8 Sep 06

The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including 3.2.

CVE-2022-45836 MEDIUM POC
6.3 Apr 18

Unauth. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low at

CVE-2012-0980 HIGH POC
7.5 Feb 02

SQL injection vulnerability in download.php in phux Download Manager allows remote attackers to execute arbitrary SQL co

CVE-2023-1809 HIGH POC
7.5 May 02

The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowin

CVE-2022-2362 HIGH POC
7.5 Aug 22

The Download Manager WordPress plugin before 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PH

CVE-2022-0828 HIGH POC
7.5 Apr 11

The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a downlo

CVE-2024-11740 HIGH POC
7.3 Dec 19

The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and

CVE-2023-1524 MEDIUM POC
6.5 May 30

The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files.

CVE-2022-2101 MEDIUM POC
6.4 Jul 18

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter

Share

EUVD-2026-42522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy