Download Manager < 3.3.54 – Authenticated (Author+) Stored Cross-Site Scripting | CVE 2026-39615 | Plugin Vulnerabilities

Description

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

download-manager

Fixed in 3.3.54

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0184b2b5-0b50-407e-8911-b0845714ea17

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

hhhai

Verified

No

WPVDB ID

4239f51a-2880-4c60-a0cc-d11ae6b3573d

Timeline

Publicly Published

2026-02-10 (about 3 months ago)

Added

2026-04-15 (about 28 days ago)

Last Updated

2026-04-15 (about 28 days ago)

Other

Published

Title

Published

2014-08-01

Title

Post Gallery - Cross-Site Scripting (XSS)

Published

2024-04-29

Title

Premium Addons for Elementor < 4.10.31 - Contributor+ Stored XSS

Published

2024-07-11

Title

WooCommerce Customers Manager < 30.2 - Subscriber+ Stored XSS

Published

2023-05-19

Title

WooDiscuz – WooCommerce Comments < 2.3.0 - Admin+ Stored XSS

Published

2025-01-10

Title

Responsive iframe <= 1.2.0 - Contributor+ Stored XSS