[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYX9TsPBA9kVW3_82bRrDMWk1ritD2DlLjDpYbb_u8Io":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-39615","download-manager-authenticated-author-stored-cross-site-scripting","Download Manager \u003C= 3.3.53 - Authenticated (Author+) Stored Cross-Site Scripting","The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","download-manager",null,"\u003C=3.3.53","3.3.54","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-10 00:00:00","2026-04-15 21:33:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0184b2b5-0b50-407e-8911-b0845714ea17?source=api-prod",65,[22,23,24,25],"download-manager.php","readme.txt","src\u002FAdmin\u002FMenu\u002FPackages.php","src\u002FAssetManager\u002Fviews\u002Fasset-manager-ui.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-39615 (Download Manager)\n\n## 1. Vulnerability Summary\nThe Download Manager plugin (\u003C= 3.3.53) is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping of package metadata. Specifically, the `WPDM\\Admin\\Menu\\Packages::savePackage` method, which handles the saving of \"Download\" (`wpdmpro`) post metadata, contains logic that bypasses sanitization for certain fields like `password` and uses inadequate escaping (`htmlspecialchars` without `ENT_QUOTES`) for others like `link_label`. This allows an authenticated user with Author-level permissions or higher to inject malicious scripts into package metadata, which are subsequently rendered in the WordPress admin area or on the frontend package pages.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fpost.php` (for updating) or `\u002Fwp-admin\u002Fpost-new.php` (for creating).\n- **Hook:** `save_post` (which triggers `WPDM\\Admin\\Menu\\Packages::savePackage`).\n- **Target Post Type:** `wpdmpro` (Downloads).\n- **Vulnerable Parameters:** `file[password]`, `file[link_label]`, `file[version]`, `file[package_size]`.\n- **Authentication:** Authenticated Author+. The user must have `edit_post` capability for the package and the `upload_files` capability (standard for Authors).\n- **Preconditions:** The plugin must be active, and the attacker must be able to create or edit a `wpdmpro` post.\n\n## 3. Code Flow\n1.  **Entry Point:** When a user saves a `wpdmpro` post, WordPress fires the `save_post` action.\n2.  **Hook Registration:** In `src\u002FAdmin\u002FMenu\u002FPackages.php`, the `__construct` method registers the hook: `add_action( 'save_post', array( $this, 'savePackage' ) );`.\n3.  **Capability Check:** `savePackage` checks if the user can `edit_post` and `upload_files` (lines 47-49).\n4.  **Metadata Iteration:** The function iterates over the `$_POST['file']` array (line 70).\n5.  **Sanitization Bypass (Password):**\n    ```php\n    \u002F\u002F src\u002FAdmin\u002FMenu\u002FPackages.php:75\n    if ( $meta_key == 'password' ) {\n        \u002F\u002Fdon't alter\u002Fsanitize password\n    }\n    ```\n    If the key is `password`, it hits an empty block, skipping the `else` block's `htmlspecialchars` sanitization. The raw input is then passed directly to `update_post_meta` (line 105).\n6.  **Inadequate Sanitization (Other fields):**\n    ```php\n    \u002F\u002F src\u002FAdmin\u002FMenu\u002FPackages.php:103\n    else {\n        $meta_value = is_array( $meta_value ) ? wpdm_sanitize_array( $meta_value, 'txt' ) : htmlspecialchars( $meta_value );\n    }\n    ```\n    For other fields (e.g., `link_label`), it uses `htmlspecialchars`. By default (in PHP \u003C 8.1), this does not escape single quotes (`'`), allowing attribute breakout if the value is rendered inside a single-quoted attribute (e.g., `\u003Cinput value='$label'>`).\n7.  **Sink:** `update_post_meta( $post, $key_name, $meta_value );` (line 105). The malicious script is stored in the database.\n8.  **Execution:** The payload executes when a user (admin or visitor) views the package in the backend list, editor, or frontend single package page.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability exploits the standard WordPress post saving mechanism. \n1.  **Requirement:** A","The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping of package metadata. Authenticated attackers with Author-level access and above can inject malicious scripts into fields like 'password' or 'icon', which are then executed when an administrator views the package list or editor in the WordPress backend.","\u002F\u002F src\u002FAdmin\u002FMenu\u002FPackages.php:77\nif ( $meta_key == 'password' ) {\n    \u002F\u002Fdon't alter\u002Fsanitize password\n}\n\u002F\u002F ...\nelse {\n    $meta_value = is_array( $meta_value ) ? wpdm_sanitize_array( $meta_value, 'txt' ) : htmlspecialchars( $meta_value );\n}\nupdate_post_meta( $post, $key_name, $meta_value );\n\n---\n\n\u002F\u002F src\u002FAdmin\u002FMenu\u002FPackages.php:271\n$icon = get_post_meta( $post_ID, '__wpdm_icon', true );\nif ( $icon != '' ) {\n    $icon = $icon;\n    echo \"\u003Cimg src='$icon' class='img60px' alt='Icon' \u002F>\";\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-manager\u002F3.3.53\u002Fsrc\u002FAdmin\u002FMenu\u002FPackages.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-manager\u002F3.3.54\u002Fsrc\u002FAdmin\u002FMenu\u002FPackages.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-manager\u002F3.3.53\u002Fsrc\u002FAdmin\u002FMenu\u002FPackages.php\t2025-12-23 00:39:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-manager\u002F3.3.54\u002Fsrc\u002FAdmin\u002FMenu\u002FPackages.php\t2026-04-15 00:05:36.000000000 +0000\n@@ -269,7 +269,7 @@\n \t\t\t} else {\n \t\t\t\t$icon = get_post_meta( $post_ID, '__wpdm_icon', true );\n \t\t\t\tif ( $icon != '' ) {\n-\t\t\t\t\t$icon = $icon;\n+\t\t\t\t\t$icon = esc_url($icon);\n \t\t\t\t\techo \"\u003Cimg src='$icon' class='img60px' alt='Icon' \u002F>\";\n \t\t\t\t}\n \t\t\t}","The exploit targets the package saving logic triggered via the standard WordPress post editor. An attacker with Author+ privileges (requiring 'edit_posts' and 'upload_files' capabilities) performs the following steps:\n1. Navigate to the 'Downloads' menu and create or edit a package (post type 'wpdmpro').\n2. Submit a POST request to '\u002Fwp-admin\u002Fpost.php' including the metadata array in the 'file' parameter.\n3. To exploit the 'password' field, the payload 'file[password]' is set to a raw script tag like '\u003Cscript>alert(1)\u003C\u002Fscript>', which bypasses sanitization entirely.\n4. To exploit the 'icon' field, the payload 'file[icon]' is set to an attribute injection string like \"x' onerror='alert(1)\". Because the plugin uses 'htmlspecialchars' without ENT_QUOTES, the single quote is not escaped.\n5. The payload is stored in the database via 'update_post_meta'.\n6. The script executes when an administrator visits the 'All Downloads' list in the admin panel, where the 'icon' metadata is rendered inside a single-quoted 'src' attribute of an 'img' tag.","gemini-3-flash-preview","2026-04-21 01:59:40","2026-04-21 02:00:34",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.3.53","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.53","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.53.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.54","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.54.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags"]