CVE-2026-39615

Download Manager <= 3.3.53 - Authenticated (Author+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.4

CVSS Score

6.4

CVSS Score

medium

Severity

3.3.54

Patched in

65d

Time to patch

Description

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Low

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=3.3.53

PublishedFebruary 10, 2026

Last updatedApril 15, 2026

Affected plugindownload-manager

What Changed in the Fix

Changes introduced in v3.3.54

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v3.3.53

Browse source Download .zip

Patched v3.3.54

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan - CVE-2026-39615 (Download Manager) ## 1. Vulnerability Summary The Download Manager plugin (<= 3.3.53) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping of package metadata. Specifically, the `WPDM\Admin\Menu\…

Show full research plan

Exploitation Research Plan - CVE-2026-39615 (Download Manager)

1. Vulnerability Summary

The Download Manager plugin (<= 3.3.53) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping of package metadata. Specifically, the WPDM\Admin\Menu\Packages::savePackage method, which handles the saving of "Download" (wpdmpro) post metadata, contains logic that bypasses sanitization for certain fields like password and uses inadequate escaping (htmlspecialchars without ENT_QUOTES) for others like link_label. This allows an authenticated user with Author-level permissions or higher to inject malicious scripts into package metadata, which are subsequently rendered in the WordPress admin area or on the frontend package pages.

2. Attack Vector Analysis

Endpoint: /wp-admin/post.php (for updating) or /wp-admin/post-new.php (for creating).
Hook: save_post (which triggers WPDM\Admin\Menu\Packages::savePackage).
Target Post Type: wpdmpro (Downloads).
Vulnerable Parameters: file[password], file[link_label], file[version], file[package_size].
Authentication: Authenticated Author+. The user must have edit_post capability for the package and the upload_files capability (standard for Authors).
Preconditions: The plugin must be active, and the attacker must be able to create or edit a wpdmpro post.

3. Code Flow

Entry Point: When a user saves a wpdmpro post, WordPress fires the save_post action.
Hook Registration: In src/Admin/Menu/Packages.php, the __construct method registers the hook: add_action( 'save_post', array( $this, 'savePackage' ) );.
Capability Check: savePackage checks if the user can edit_post and upload_files (lines 47-49).
Metadata Iteration: The function iterates over the $_POST['file'] array (line 70).
Sanitization Bypass (Password):
```
// src/Admin/Menu/Packages.php:75
if ( $meta_key == 'password' ) {
    //don't alter/sanitize password
}
```
If the key is password, it hits an empty block, skipping the else block's htmlspecialchars sanitization. The raw input is then passed directly to update_post_meta (line 105).
Inadequate Sanitization (Other fields):
```
// src/Admin/Menu/Packages.php:103
else {
    $meta_value = is_array( $meta_value ) ? wpdm_sanitize_array( $meta_value, 'txt' ) : htmlspecialchars( $meta_value );
}
```
For other fields (e.g., link_label), it uses htmlspecialchars. By default (in PHP < 8.1), this does not escape single quotes ('), allowing attribute breakout if the value is rendered inside a single-quoted attribute (e.g., <input value='$label'>).
Sink: update_post_meta( $post, $key_name, $meta_value ); (line 105). The malicious script is stored in the database.
Execution: The payload executes when a user (admin or visitor) views the package in the backend list, editor, or frontend single package page.

4. Nonce Acquisition Strategy

This vulnerability exploits the standard WordPress post saving mechanism.

Requirement: A

Research Findings

Static analysis — not yet PoC-verified

Summary

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping of package metadata. Authenticated attackers with Author-level access and above can inject malicious scripts into fields like 'password' or 'icon', which are then executed when an administrator views the package list or editor in the WordPress backend.

Vulnerable Code

// src/Admin/Menu/Packages.php:77
if ( $meta_key == 'password' ) {
    //don't alter/sanitize password
}
// ...
else {
    $meta_value = is_array( $meta_value ) ? wpdm_sanitize_array( $meta_value, 'txt' ) : htmlspecialchars( $meta_value );
}
update_post_meta( $post, $key_name, $meta_value );

---

// src/Admin/Menu/Packages.php:271
$icon = get_post_meta( $post_ID, '__wpdm_icon', true );
if ( $icon != '' ) {
    $icon = $icon;
    echo "<img src='$icon' class='img60px' alt='Icon' />";
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/download-manager/3.3.53/src/Admin/Menu/Packages.php /home/deploy/wp-safety.org/data/plugin-versions/download-manager/3.3.54/src/Admin/Menu/Packages.php
--- /home/deploy/wp-safety.org/data/plugin-versions/download-manager/3.3.53/src/Admin/Menu/Packages.php	2025-12-23 00:39:38.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/download-manager/3.3.54/src/Admin/Menu/Packages.php	2026-04-15 00:05:36.000000000 +0000
@@ -269,7 +269,7 @@
 			} else {
 				$icon = get_post_meta( $post_ID, '__wpdm_icon', true );
 				if ( $icon != '' ) {
-					$icon = $icon;
+					$icon = esc_url($icon);
 					echo "<img src='$icon' class='img60px' alt='Icon' />";
 				}
 			}

Exploit Outline

The exploit targets the package saving logic triggered via the standard WordPress post editor. An attacker with Author+ privileges (requiring 'edit_posts' and 'upload_files' capabilities) performs the following steps: 1. Navigate to the 'Downloads' menu and create or edit a package (post type 'wpdmpro'). 2. Submit a POST request to '/wp-admin/post.php' including the metadata array in the 'file' parameter. 3. To exploit the 'password' field, the payload 'file[password]' is set to a raw script tag like '<script>alert(1)</script>', which bypasses sanitization entirely. 4. To exploit the 'icon' field, the payload 'file[icon]' is set to an attribute injection string like "x' onerror='alert(1)". Because the plugin uses 'htmlspecialchars' without ENT_QUOTES, the single quote is not escaped. 5. The payload is stored in the database via 'update_post_meta'. 6. The script executes when an administrator visits the 'All Downloads' list in the admin panel, where the 'icon' metadata is rendered inside a single-quoted 'src' attribute of an 'img' tag.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/0184b2b5-0b50-407e-8911-b0845714ea17?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database