{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5357", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-01T17:01:10.398Z", "datePublished": "2026-04-09T02:25:05.524Z", "dateUpdated": "2026-04-09T02:25:05.524Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-09T02:25:05.524Z"}, "affected": [{"vendor": "codename065", "product": "Download Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.52", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page."}], "title": "Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27fc81b0-c03a-4de7-bc38-791401d1685b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/User/views/members.php#L10"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/User/views/members.php#L10"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/User/User.php#L175"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/User/User.php#L175"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3501300%40download-manager&new=3501300%40download-manager&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-04-01T17:16:20.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-08T13:33:28.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page."}], "id": "CVE-2026-5357", "lastModified": "2026-04-09T04:17:14.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-09T04:17:14.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/User/User.php#L175"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/User/views/members.php#L10"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/User/User.php#L175"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/User/views/members.php#L10"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3501300%40download-manager&new=3501300%40download-manager&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27fc81b0-c03a-4de7-bc38-791401d1685b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.52]"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Download Manager", "source": "cna", "vendor": "codename065"}, "product": "download_manager_plugin", "vendor": "codename065"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T05:22:06.074949+00:00", "value": {"mitigation_remediation": ["Upgrade the Download Manager plugin to version\u202f3.3.53 or later.", "Verify that any existing short\u2011codes no longer contain unsanitized identifiers and remove or escape them.", "If an update cannot be applied, restrict contributor or higher access to pages that contain the short\u2011code, or disable the short\u2011code entirely."], "summary": {"action": "Patch immediately", "impact": "Stored cross\u2011site scripting enabling authenticated contributors to inject and execute arbitrary JavaScript"}, "threat_synthesis": {"affected_systems": "All WordPress instances that use the Download Manager plugin maintained by codename065 and run a version up to and including 3.3.52 are affected. The flaw exists purely within the plugin, independent of the core WordPress platform, so any site running an vulnerable plugin version is at risk.", "description_and_impact": "The vulnerability comes from the way the plugin handles a parameter in a short\u2011code that is meant to be an identifier. The parameter value is stored without any filtering and is later directly inserted into the page\u2019s markup. A user who can write or edit the short\u2011code with at least contributor rights can therefore place malicious script code into the parameter and have that script executed whenever any visitor loads a page that renders the short\u2011code.", "risk_and_exploitability": "The base score suggests a moderate risk level. Exploitation requires authenticated access with contributor or higher privileges to edit the short\u2011code. No public exploit is available, and the issue is not listed in CISA\u2019s catalog of known exploited vulnerabilities. Once the malicious code is inserted, it will run for every visitor to pages that include the short\u2011code, potentially enabling data theft, site defacement or further compromise. The overall threat is moderate but should be remediated promptly."}}}}, "created": "2026-04-09T08:15:47.094747+00:00", "updated": "2026-04-09T08:25:13.741682+00:00", "vendors": ["codename065", "codename065$PRODUCT$download_manager_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}