Download Manager < 3.3.47 – Reflected Cross-Site Scripting via 'redirect_to' Parameter | CVE 2026-1666 | Plugin Vulnerabilities

Description

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

download-manager

Fixed in 3.3.47

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb84ba3-b403-4a9d-b1a7-92aa947310ac

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Jack Taylor

Verified

No

WPVDB ID

33d7d258-2bcf-408d-a385-48723dcd2be0

Timeline

Publicly Published

2026-02-17 (about 2 months ago)

Added

2026-02-17 (about 2 months ago)

Last Updated

2026-02-18 (about 2 months ago)

Other

Published

Title

Published

2023-10-18

Title

Hitsteps Web Analytics < 5.87 - Admin+ Stored XSS

Published

2024-04-30

Title

WPify Woo Czech < 4.0.11 - Reflected Cross-Site Scripting

Published

2024-10-03

Title

Product Delivery Date for WooCommerce – Lite < 2.7.4 - Reflected Cross-Site Scripting

Published

2023-12-29

Title

WP Affiliate Disclosure < 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via $id

Published

2026-01-08

Title

WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute