WWordPress Vulnerability Database

Hong Kong Alert XSS in Download Manager(CVE20265357)

Cross Site Scripting (XSS) in WordPress Download Manager Plugin
0
Shares
0
0
0
0






Urgent Security Advisory: Stored XSS in WordPress Download Manager (<= 3.3.52)


Plugin Name Download Manager
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-5357
Urgency Low
CVE Publish Date 2026-04-09
Source URL CVE-2026-5357

Urgent Security Advisory: Stored XSS in WordPress Download Manager (≤ 3.3.52) — What Site Owners Need to Know and Do Now

Date: 9 April 2026
Author: Hong Kong Security Expert

If your WordPress sites use the Download Manager plugin, read this advisory immediately. A stored cross-site scripting (XSS) vulnerability (CVE-2026-5357) in Download Manager versions up to and including 3.3.52 allows an authenticated user with Contributor privileges to save malicious shortcode attributes which are later rendered and executed in visitors’ browsers. Although some scoring systems label this as low urgency, stored XSS can be escalated, used as a foothold for further compromise, and abused in bulk exploitation campaigns. Swift action is required.

This advisory explains, in plain language and technical detail:

  • what the vulnerability is and who it affects;
  • plausible attack scenarios and impact;
  • how to detect if your site has been affected;
  • step-by-step mitigations — immediate and long-term;
  • practical hardening tips for WordPress administrators and developers.

I write as a Hong Kong-based security practitioner experienced with WordPress incidents — the fix is usually straightforward, but time matters. Follow the checklist below.

Executive summary (quick actionable steps)

  1. Upgrade Download Manager immediately to version 3.3.53 or later — this is the vendor patch that resolves the issue.
  2. If you cannot upgrade now, restrict Contributor access temporarily and disable or prevent rendering of untrusted shortcodes on public pages.
  3. Search content (posts/pages/shortcodes/postmeta) for suspicious attributes and remove unexpected HTML or script content.
  4. Apply perimeter controls (e.g., generic WAF rules) to block attempts to inject script/event handlers and javascript: URIs in shortcode attributes while you patch.
  5. Monitor logs for suspicious requests and review recent content created or updated by Contributors.
  6. Backup your site and database before making broad content changes.

If you manage many sites or operate a hosting environment, schedule updates across your fleet and consider virtual patching to close the window while you apply fixes.

What exactly is the vulnerability?

  • Type: Stored Cross-Site Scripting (XSS)
  • Affected plugin: Download Manager (WordPress plugin)
  • Affected versions: ≤ 3.3.52
  • Patched in: 3.3.53
  • CVE: CVE-2026-5357
  • Required privilege to exploit: Contributor (authenticated)
  • Risk: Stored XSS — untrusted input saved to the database and later rendered without sufficient sanitization/escaping

The plugin accepts user-supplied values inside shortcode attributes and stores them (in post meta or download definitions). When the shortcode is rendered on the frontend, attribute values are output without proper sanitization, allowing an authenticated Contributor to inject HTML/JavaScript that executes in the browser of any visitor (including administrators or editors who preview the page in the admin interface).

Stored XSS is especially dangerous because the payload persists on the site. It can be used to escalate privileges, steal cookies/session tokens, perform actions on behalf of administrators, or deliver additional payloads over time.

Why contributors? Why is that important?

The Contributor role is commonly used on blogs and multi-author sites. Contributors can create and edit posts but cannot publish. Many site owners assume Contributors are low risk because they cannot install plugins or themes. However, stored XSS triggered by Contributors becomes dangerous when:

  • a higher-privileged user (Editor/Administrator) previews or edits the content, causing the script to run in their browser;
  • the malicious content is published by an Editor/Administrator or after moderation;
  • the plugin renders the shortcode in a way that executes the payload in any visitor’s browser.

Attackers often target accounts that are easier to obtain or compromise — such as contributor accounts — and then rely on an admin to interact with the content to gain elevated code execution.

Realistic attack scenarios

  1. A Contributor crafts a shortcode attribute containing an HTML event handler (e.g., onclick) or inline script encoded into a value. When an admin previews the content, that script executes and attempts to steal the administrator’s authentication cookie or perform actions via AJAX.
  2. A payload executes in an admin context and uses accessible REST endpoints or AJAX calls to create a hidden admin user or drop a backdoor.
  3. A Contributor injects a script that loads an external payload (malware/cryptominer) onto public pages, affecting visitors and harming reputation/SEO.
  4. Automated campaigns scan for the vulnerable shortcode rendering and exploit many sites in bulk.

Even a seemingly benign payload (redirects or ads) violates trust and can be time-consuming to remediate.

How to detect if you are affected (detection & indicators)

  1. Plugin version
    Check the Download Manager plugin version in WordPress Admin → Plugins. If it is ≤ 3.3.52, the site is vulnerable.
  2. Search content for suspicious shortcode attributes
    Search posts, pages, custom post types and postmeta for Download Manager shortcodes and unusual attribute values, e.g. attributes containing