Description
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Simple Download Counter WordPress plugin contains a stored XSS weakness that arises when the 'text' and 'cat' attributes of the sdc_menu shortcode are not sanitized or escaped before being written to the page. An attacker who can add or edit content and has Contributor level access can supply malicious JavaScript that is injected directly into the HTML of any post, page, or widget containing the shortcode, causing the script to run in the browsers of all visitors that view the page. This does not grant direct server access but enables client‑side attacks such as phishing or cookie theft for any user who loads the affected content.

Affected Systems

WordPress installations running the Simple Download Counter plugin version 2.3 or earlier are affected. The vulnerability applies to all releases up to and including 2.3 and requires the attacker to have at least Contributor level privileges to edit or create content that uses the vulnerable shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. Exploitation requires authenticated access, specifically Contributors or higher, which limits the potential attacker pool. The flaw is not listed in CISA’s KEV catalog and no EPSS score is available, but any user who views an affected page could be exposed to arbitrary script execution.

Generated by OpenCVE AI on March 26, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Download Counter plugin to a version newer than 2.3 that includes the fix.
  • If an update cannot be performed immediately, remove the plugin or disable the sdc_menu shortcode from publicly accessible pages.
  • Limit Contributor and higher privileges to trusted users or temporarily revoke contributor rights while the issue is resolved.

Generated by OpenCVE AI on March 26, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Specialk
Specialk simple Download Counter
Wordpress
Wordpress wordpress
Vendors & Products Specialk
Specialk simple Download Counter
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Specialk Simple Download Counter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:37.077Z

Reserved: 2026-03-16T15:27:01.754Z

Link: CVE-2026-4278

cve-icon Vulnrichment

Updated: 2026-03-26T17:48:18.082Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T05:16:39.917

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-4278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:36Z

Weaknesses