Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
WordPress Download Manager plugin exposes users to malicious scripts via links
CVE-2026-1666
Summary
A security issue in the Download Manager plugin for WordPress allows attackers to inject malicious scripts into pages if a user clicks on a link. This can happen if the user clicks on a link from an untrusted source. To fix this, update the Download Manager plugin to a version newer than 3.3.46.
Original title
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient i...
Original description
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User...
- https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb84ba3-b403-4a9d-b1a...
- https://www.wpdownloadmanager.com/doc/short-codes/wpdm_login_form-user-login-for...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026