Description
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Published: 2026-04-09
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: Stored cross‑site scripting enabling authenticated contributors to inject and execute arbitrary JavaScript
Action: Patch immediately
AI Analysis

Impact

The vulnerability comes from the way the plugin handles a parameter in a short‑code that is meant to be an identifier. The parameter value is stored without any filtering and is later directly inserted into the page’s markup. A user who can write or edit the short‑code with at least contributor rights can therefore place malicious script code into the parameter and have that script executed whenever any visitor loads a page that renders the short‑code.

Affected Systems

All WordPress instances that use the Download Manager plugin maintained by codename065 and run a version up to and including 3.3.52 are affected. The flaw exists purely within the plugin, independent of the core WordPress platform, so any site running an vulnerable plugin version is at risk.

Risk and Exploitability

The base score suggests a moderate risk level. Exploitation requires authenticated access with contributor or higher privileges to edit the short‑code. No public exploit is available, and the issue is not listed in CISA’s catalog of known exploited vulnerabilities. Once the malicious code is inserted, it will run for every visitor to pages that include the short‑code, potentially enabling data theft, site defacement or further compromise. The overall threat is moderate but should be remediated promptly.

Generated by OpenCVE AI on April 9, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Download Manager plugin to version 3.3.53 or later.
  • Verify that any existing short‑codes no longer contain unsanitized identifiers and remove or escape them.
  • If an update cannot be applied, restrict contributor or higher access to pages that contain the short‑code, or disable the short‑code entirely.

Generated by OpenCVE AI on April 9, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Codename065
Codename065 download Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Codename065
Codename065 download Manager Plugin
Wordpress
Wordpress wordpress

Thu, 09 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Title Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Codename065 Download Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-09T02:25:05.524Z

Reserved: 2026-04-01T17:01:10.398Z

Link: CVE-2026-5357

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T04:17:14.810

Modified: 2026-04-09T04:17:14.810

Link: CVE-2026-5357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:13Z

Weaknesses