Download Manager < 3.3.53 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | CVE 2026-5357 | Plugin Vulnerabilities

Description

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.

Affects Plugins

download-manager

Fixed in 3.3.53

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/27fc81b0-c03a-4de7-bc38-791401d1685b

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

zaim

Verified

No

WPVDB ID

724b4747-0c2c-424b-9f7b-4a30840b01a9

Timeline

Publicly Published

2026-04-08 (about 1 month ago)

Added

2026-04-08 (about 1 month ago)

Last Updated

2026-04-09 (about 1 month ago)

Other

Published

Title

Published

2022-12-02

Title

Bulk Delete Users by Email < 2.0.0 - Reflected Cross-Site Scripting

Published

2024-11-08

Title

ra_qrcode <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-11-29

Title

Forms by CaptainForm <= 2.5.3 - Reflected Cross-Site Scripting via REQUEST_URI

Published

2025-12-05

Title

Widgets for Google Reviews < 13.2.5 - Unauthenticated Stored XSS via Google Reviews

Published

2026-05-01

Title

Jeg Kit for Elementor < 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sg_content_number_prefix' Shortcode Attribute