Description
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Download Manager plugin for WordPress contains a stored cross‑site scripting flaw that allows authenticated users with author privileges or higher to inject arbitrary JavaScript through the wpdm_user_dashboard shortcode. The injected script is permanently recorded in the site database and runs whenever a viewer opens an affected page, enabling content tampering, credential theft, or malicious payload delivery. This CW80 weakness compromises confidentiality, integrity, and availability for site visitors and administrators.

Affected Systems

The vulnerability affects the Download Manager plugin for WordPress (codename065:Download Manager), all releases up to and including version 3.3.18. WordPress users running any of those versions on any WordPress installation, regardless of hosting environment, are potentially exposed.

Risk and Exploitability

This is a moderate severity flaw with a CVSS score of 6.4. The EPSS score indicates a very low probability of exploitation (<1%) and it is not listed in CISA's KEV catalog. Exploitation requires the attacker to have authenticated author‑level access or higher; the attacker must then supply a malicious value for the wpdm_user_dashboard shortcode when creating or editing a dashboard. If successful, the injected script will execute automatically for any site visitor, turning it into an XSS attack vector.

Generated by OpenCVE AI on April 22, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Download Manager plugin to version 3.3.19 or newer, which removes the vulnerability by sanitizing shortcode input.
  • If an upgrade is not feasible, remove or disable the wpdm_user_dashboard shortcode or restrict its use to trusted administrators only.
  • Review the plugin’s code to ensure all user input is properly sanitized and escaped, using WordPress built‑in functions such as wp_kses or sanitize_text_field.
  • Implement a Content Security Policy that blocks inline scripts and limits script execution origins to mitigate the risk of residual XSS flaws.

Generated by OpenCVE AI on April 22, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18680 The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 09 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared W3eden
W3eden download Manager
CPEs cpe:2.3:a:w3eden:download_manager:*:*:*:*:free:wordpress:*:*
Vendors & Products W3eden
W3eden download Manager

Fri, 20 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Jun 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Download Manager <= 3.3.18 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

W3eden Download Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:42.462Z

Reserved: 2025-05-05T18:08:42.449Z

Link: CVE-2025-4367

cve-icon Vulnrichment

Updated: 2025-06-20T12:38:25.451Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-19T04:15:36.313

Modified: 2025-07-09T19:00:59.393

Link: CVE-2025-4367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses