Download Manager <= 3.3.61 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes

2026-07-08 18:12
PRISM

Strategic Overview

Status
Patched in 3.3.62
Affected PluginDownload Manager
Affected Version<= 3.3.61
CVSS6.4Medium
CVECVE-2026-14343
View all Download Manager vulnerabilities

Vulnerability Overview

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because wp_kses_post filters post content on save for users without unfiltered_html, only kses-allowed tag and attribute payloads that survive save-time filtering will reach the unescaped sink; however, the sink itself remains unsafe and such payloads can still execute in the browser when a user renders the shortcode.

Technical Analysis

REMEDIATION: Update to version 3.3.62, or a newer patched version --- IDENTIFIER: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C

Download Manager <= 3.3.61 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes (CVE-2026-14343)