Description
The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Simple Download Monitor WordPress plugin is vulnerable to stored cross‑site scripting via its custom field, allowing an authenticated user with Contributor or higher privileges to embed arbitrary JavaScript that executes in the browser of any visitor who views an affected page. This client‑side injection flaw (CWE‑79) can lead to cookie theft, session hijacking, defacement or the execution of further malicious payloads without the victim’s knowledge.

Affected Systems

All WordPress sites that have installed Simple Download Monitor version 4.0.5 or earlier are affected. The vulnerability exists in every installation of the plugin within that version range, regardless of other plugins or theme configurations, and requires only that the authenticated user be able to create or edit download items.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, placing it in the medium severity range, and an EPSS score below 1 %, indicating a low probability of exploitation at present. It is not listed in the CISA KEV catalog. Attackers must be authenticated and hold at least Contributor access, making the vector an authentic one. Exploitation requires the creation or editing of a download item and the insertion of malicious JavaScript into its custom field, which is then stored and rendered whenever the page is accessed by any user.

Generated by OpenCVE AI on April 15, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Simple Download Monitor to the latest available version, ensuring the fix is applied.
  • If an upgrade cannot be performed immediately, reduce the privileges of existing Contributor users or revoke the ability to edit download items altogether.
  • Implement a web application firewall or set up content filtering rules to block the execution of script tags in user‑provided content, or manually sanitize the output to remove any injected scripts.

Generated by OpenCVE AI on April 15, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mra13
Mra13 simple Download Monitor
Wordpress
Wordpress wordpress
Vendors & Products Mra13
Mra13 simple Download Monitor
Wordpress
Wordpress wordpress

Fri, 27 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mra13 Simple Download Monitor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:28.783Z

Reserved: 2026-02-11T22:02:29.167Z

Link: CVE-2026-2383

cve-icon Vulnrichment

Updated: 2026-03-06T18:46:03.428Z

cve-icon NVD

Status : Deferred

Published: 2026-02-27T09:16:17.480

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses