Skip to main content

Download Manager WordPress Plugin Authenticated Stored XSS via Shortcode Attribute (CVE-2026-13733)

Scope: Download Manager WordPress Plugin Versions up to and Including 3.3.60

Severity: Medium

A stored cross-site scripting vulnerability in the Download Manager WordPress plugin allows authenticated attackers with contributor-level access or higher to inject persistent malicious scripts through an insufficiently sanitized "no data message" shortcode attribute, with the injected payload surviving WordPress's standard content filter and being reconstructed into executable script when the page renders, automatically executing for any user who views the affected page. While this requires contributor-level access to exploit, sites that allow lower-trust or external contributors to publish or submit content are at direct risk, and a successful attack gives the injected script the full browser context of any visiting administrator. Administrators must update to Download Manager version 3.3.61 or later, audit existing shortcode usage across posts and pages for suspicious no_data_msg attribute values, and review contributor user access to confirm only trusted accounts hold that role.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.