CVE-2026-14343 Overview
CVE-2026-14343 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Download Manager plugin for WordPress in all versions up to and including 3.3.61. The flaw resides in the note_before and note_after shortcode attributes, which lack sufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute in the browsers of users who render affected pages. The issue is tracked under CWE-79.
Critical Impact
Contributor-level accounts can persistently inject scripts that execute against site visitors and administrators, enabling session theft, forced administrative actions, and content defacement.
Affected Products
- WordPress Download Manager plugin, all versions up to and including 3.3.61
- WordPress sites permitting contributor-level or higher account registration
- Any site rendering pages that contain the affected shortcode
Discovery Timeline
- 2026-07-09 - CVE-2026-14343 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-14343
Vulnerability Analysis
The Download Manager plugin exposes shortcode attributes named note_before and note_after that are rendered into page markup without proper output escaping. When a contributor or higher-privileged user embeds the shortcode into a post or page, the plugin writes attribute values directly into the rendered HTML sink. Any visitor who loads the affected page triggers execution of the injected script in their browser context. Because the injection is persisted in post content, every subsequent request to the affected page re-executes the payload.
Root Cause
The vulnerability stems from missing output escaping in the shortcode rendering path. WordPress applies wp_kses_post to post content on save for users lacking the unfiltered_html capability, filtering many payloads before storage. However, the shortcode output sink itself remains unsafe. Any tag or attribute combination allowed by wp_kses_post — including event handler attributes on permitted tags — survives save-time filtering and reaches the unescaped renderer.
Attack Vector
An attacker authenticates with a contributor-level account and creates or edits a post containing the affected shortcode with a malicious note_before or note_after value. After the content is published or previewed by higher-privileged users, the injected script executes in the victim's browser. The attack requires low privileges, no user interaction beyond page navigation, and can pivot to administrator session hijacking or forced privilege escalation actions. The scope change reflects execution in the browser context of other users.
See the Wordfence Vulnerability Analysis and the WordPress Download Manager source for technical detail on the affected sinks.
Detection Methods for CVE-2026-14343
Indicators of Compromise
- Post or page content containing Download Manager shortcodes with note_before or note_after attributes holding HTML tags, event handler attributes such as onmouseover or onerror, or javascript: URIs.
- New or modified posts authored by contributor-level accounts that reference the plugin's shortcodes.
- Unexpected outbound requests from administrator browsers to attacker-controlled domains shortly after previewing contributor-submitted content.
Detection Strategies
- Query the wp_posts table for post_content containing the affected shortcode with suspicious attribute values, focusing on tags such as <a>, <img>, or <svg> with event handler attributes permitted by wp_kses_post.
- Review web server access logs for administrative sessions loading pages that embed the plugin shortcode after contributor edits.
- Inspect browser Content Security Policy violation reports for inline script or event handler executions on pages using the shortcode.
Monitoring Recommendations
- Alert on creation or promotion of contributor-level accounts on sites running the Download Manager plugin.
- Monitor plugin version inventories to identify installations at or below version 3.3.61.
- Track edits to published posts and pages by non-editor accounts and flag content containing raw HTML attributes within shortcodes.
How to Mitigate CVE-2026-14343
Immediate Actions Required
- Update the WordPress Download Manager plugin to a version above 3.3.61 once released by the vendor.
- Audit contributor and author accounts and remove any that are unused, weakly authenticated, or unverified.
- Review all published posts for the affected shortcode and remove or sanitize note_before and note_after attribute values.
Patch Information
The vendor published a changeset addressing the shortcode sinks in the plugin repository. Administrators should install the fixed release through the WordPress plugin update mechanism and confirm the installed version reflects the patched build.
Workarounds
- Restrict use of the Download Manager shortcode to editor-level accounts or higher by disabling shortcode processing for contributor content until patched.
- Deploy a web application firewall rule that blocks HTML tags and event handler attributes inside note_before and note_after shortcode parameters.
- Enforce a strict Content Security Policy that disallows inline scripts and event handler execution on pages served by the affected site.
# Configuration example: identify vulnerable plugin installs via WP-CLI
wp plugin get download-manager --field=version
wp post list --post_status=publish --search='[wpdm_' --format=csv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

