CVE-2026-5357Cross-site Scripting in Download Manager

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.4MEDIUMNVD
EPSS
0.0%
top 87.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Codename065 Download Manager
Timeline
PublishedApr 9

Description

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applyi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes2026-04-09
GHSA
GHSA-cwf6-258p-c2v5: The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in vers2026-04-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-5357 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-5357 — Cross-site Scripting | cvebase