The vulnerability is a stored cross‑site scripting flaw that arises from improper neutralization of user input during web page generation. When an attacker supplies malicious script payloads through the Download Manager interface, these inputs are saved to the database and later rendered unfiltered in the front‑end. This enables the attacker to execute arbitrary JavaScript in the browsers of any user who views the affected pages, potentially leading to session hijacking, defacement, or phishing attempts. The weakness corresponds to CWE‑79. The impact is confined to client‑side execution but can be leveraged for broader attacks if the user is authenticated or privileged. The vulnerability is explicitly described as "Stored XSS", indicating persistent exposure of injected code.

The affected product is the WordPress plugin "Download Manager" developed by Shahjada. Versions from the earliest release through 3.3.53 are vulnerable. Users must check whether their installation runs any of these versions; if so, they are at risk.

The CVSS score is not publicly provided, but the nature of a stored XSS suggests a moderate to high risk if the plugin is used in a publicly accessible site. Exploitability is straightforward: an attacker must craft input that the plugin accepts—most likely through the admin interface or upload forms—and later expose the data to unsuspecting visitors. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation yet. Nonetheless, the potential for client‑side compromise makes it worth addressing promptly.