CVE-2026-14343 in Download Manager Plugin
Summary
by MITRE • 07/09/2026
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because wp_kses_post filters post content on save for users without unfiltered_html, only kses-allowed tag and attribute payloads that survive save-time filtering will reach the unescaped sink; however, the sink itself remains unsafe and such payloads can still execute in the browser when a user renders the shortcode.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability identified in the WordPress Download Manager plugin represents a critical stored cross-site scripting flaw that affects versions up to and including 3.3.61. This security weakness stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode processing functionality, specifically concerning the 'note_before' and 'note_after' attributes. The vulnerability operates at the intersection of user privilege escalation and client-side attack vectors, creating a pathway for authenticated attackers who possess contributor-level access or higher to execute malicious code within the context of victim users' browsers.
The technical implementation of this vulnerability exploits the plugin's shortcode attribute handling system where user-supplied input flows directly into rendered HTML output without proper sanitization. While WordPress implements wp_kses_post filtering to prevent unrestricted HTML content from being saved by users without the unfiltered_html capability, this protective measure proves insufficient against the specific attack vector in question. The filtering occurs at save time but fails to address the fundamental issue that the shortcode rendering process itself remains vulnerable to executing malicious payloads that have passed through the initial sanitization filters.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to leverage the privileged access level to inject persistent malicious content that will execute whenever any user accesses a page containing the compromised shortcode. This creates a persistent threat vector where the attacker's code can run in the context of legitimate users' sessions, potentially leading to session hijacking, data exfiltration, or further privilege escalation attempts. The vulnerability particularly affects environments where contributors and higher-level users have access to plugin functionality that allows them to modify content containing shortcodes.
Security professionals should recognize this issue as a classic example of insufficient output escaping in web applications, which aligns with CWE-79 (Cross-site Scripting) classification within the Common Weakness Enumeration framework. The attack pattern demonstrates characteristics consistent with ATT&CK technique T1566.002 (Phishing via Social Engineering) and T1059.001 (Command and Scripting Interpreter), as it enables attackers to execute malicious scripts in victim browsers. Organizations should implement immediate mitigations including plugin version updates, input validation enforcement, and strict content filtering policies while monitoring for potential exploitation attempts.
The vulnerability highlights the critical importance of proper sanitization at multiple layers within web applications, particularly when dealing with user-generated content that gets rendered as HTML output. Even when initial filtering mechanisms exist, they may not adequately protect against specific rendering contexts where malicious payloads can still execute successfully. This case underscores the necessity for comprehensive security testing including both input validation and output escaping verification in all application components that process user-supplied data.
Organizations should prioritize updating to patched versions of the Download Manager plugin while implementing additional defensive measures such as role-based access restrictions, content monitoring systems, and regular security audits of third-party plugins. The vulnerability demonstrates how seemingly isolated component flaws can create significant security risks when combined with existing privilege structures within WordPress installations, emphasizing the need for holistic security approaches that consider both application-level and user-access controls in vulnerability management strategies.