Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Download Manager download-manager allows Stored XSS.This issue affects Download Manager: from n/a through <= 3.3.53.
Published: 2026-04-08
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting (XSS) that allows arbitrary JavaScript injection on victim browsers
Action: Patch Now
AI Analysis

Impact

An improper neutralization of input web page generation in Shahjada's Download Manager plugin enables stored cross‑site scripting. This vulnerability means an attacker can inject malicious JavaScript that is later rendered in the browser of any user who views the affected content, potentially leading to session hijacking, defacement, or other malicious client‑side actions.

Affected Systems

The flaw affects all instances of the Shahjada Download Manager WordPress plugin with versions up through 3.3.53. Any site that has installed this plugin or any of its predecessors may be vulnerable unless updated.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate risk, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the KEV catalog. Attackers would likely need access to the administrative interface or a content editing capability to inject the malicious payload, after which the stored XSS would affect all visitors to the impacted pages.

Generated by OpenCVE AI on April 10, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Download Manager plugin to the latest version that is not affected by the XSS flaw (e.g., version 3.3.54 or newer).
  • Verify that all user‑generated content is properly sanitized by the plugin’s current configuration.

Generated by OpenCVE AI on April 10, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Shahjada
Shahjada download Manager
Wordpress
Wordpress wordpress
Vendors & Products Shahjada
Shahjada download Manager
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Download Manager download-manager allows Stored XSS.This issue affects Download Manager: from n/a through <= 3.3.53.
Title WordPress Download Manager plugin <= 3.3.53 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Shahjada Download Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.577Z

Reserved: 2026-04-07T10:57:27.974Z

Link: CVE-2026-39615

cve-icon Vulnrichment

Updated: 2026-04-10T16:23:40.458Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:31.323

Modified: 2026-04-24T18:06:58.907

Link: CVE-2026-39615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:11Z

Weaknesses