Impact
The vulnerability allows an authenticated contributor or higher to store malicious scripts through the 'no_data_msg' attribute of a shortcode. The payload is saved to the post content, bypassing the typical wp_kses_post filter because the filter does not remove C‑style escape sequences that are later re‑assembled into a script tag when the page is rendered. Once injected, the script runs in the browser of any user who views the affected page, enabling session hijacking, defacement, or data theft.
Affected Systems
WordPress sites using the Download Manager plugin, codename065:Download Manager, any version up to and including 3.3.60. The flaw exists in the shortcode handling code that is present in all releases prior to 3.3.61.
Risk and Exploitability
The CVSS score of 6.4 indicates a medium severity with a Medium to Hard exploitation difficulty. EPSS data is not available and the vulnerability is not recorded in CISA’s KEV catalog. Exploitation requires only contributor‑level access, meaning that users who can add or edit posts may inject a payload. Because the attack vector is authenticated and local, the opportunity to exploit is limited to sites with a compromised contributor account or to attackers who can stealthily log in.
OpenCVE Enrichment