CVE-2026-5357 Overview
The Download Manager plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the sid parameter of the wpdm_members shortcode. This vulnerability affects versions up to and including 3.3.52 and stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes.
The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript code that executes whenever any user visits a page containing the malicious payload. Because the script is stored server-side and served to all visitors, this represents a persistent XSS attack vector that can affect multiple users over time.
Critical Impact
Authenticated attackers with contributor privileges can inject persistent malicious scripts that execute in the browsers of all users visiting affected pages, potentially leading to session hijacking, credential theft, and site defacement.
Affected Products
- Download Manager plugin for WordPress versions up to and including 3.3.52
- WordPress installations using the vulnerable wpdm_members shortcode functionality
- Sites permitting contributor-level or higher user access
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-5357 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-5357
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists in the Download Manager plugin's member management functionality. The flaw occurs because the sid parameter passed to the wpdm_members shortcode is extracted without proper sanitization in the members() function and subsequently stored via update_post_meta(). When the data is later rendered in the members.php template, it is echoed directly into an HTML id attribute without applying the esc_attr() escaping function that WordPress provides for this purpose.
The attack requires authenticated access with at least contributor-level privileges, which limits the initial attack surface. However, once a malicious payload is injected, it persists in the database and executes for every user who views the affected page, including administrators. This persistence and broad execution scope makes Stored XSS significantly more dangerous than Reflected XSS variants.
Root Cause
The root cause is a failure to implement proper input validation and output encoding at two critical points in the data flow:
Input Stage: The sid parameter is accepted from shortcode attributes in the User.phpmembers() function without sanitization before being passed to update_post_meta() for storage.
Output Stage: When rendering the member display in members.php, the stored sid value is inserted directly into an HTML id attribute without using WordPress's esc_attr() function to escape special characters.
This dual failure violates the fundamental security principle of "sanitize input, escape output" and allows attackers to break out of the HTML attribute context to inject executable JavaScript.
Attack Vector
The attack is network-based and requires the attacker to be authenticated with contributor-level access or above. The attacker crafts a malicious sid value within a wpdm_members shortcode that includes JavaScript code designed to escape the HTML id attribute context. When a victim visits a page containing this shortcode, the malicious script executes in their browser session.
A typical attack scenario involves:
- An attacker with contributor access creates or edits a post/page
- The attacker inserts a wpdm_members shortcode with a crafted sid parameter containing XSS payload
- The payload is stored in the WordPress database via update_post_meta()
- When any user (including administrators) views the page, the unsanitized sid value renders in the HTML
- The malicious JavaScript executes in the victim's browser with their session context
For technical details on the vulnerable code paths, see the User.php source code and members.php template.
Detection Methods for CVE-2026-5357
Indicators of Compromise
- Presence of wpdm_members shortcodes containing unusual characters such as <, >, ", ', on, script, or javascript in the sid parameter
- Database entries in wp_postmeta with suspicious JavaScript payloads associated with Download Manager metadata
- Web server access logs showing pages with Download Manager shortcodes returning unusual response sizes
- Browser console errors or unexpected script execution on pages using the Download Manager member functionality
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in POST requests targeting WordPress shortcode processing
- Deploy Content Security Policy (CSP) headers to restrict inline script execution and alert on violations
- Monitor WordPress wp_postmeta table for entries containing script tags or event handlers in Download Manager-related metadata
- Use SentinelOne's behavioral detection capabilities to identify anomalous JavaScript execution patterns originating from WordPress pages
Monitoring Recommendations
- Enable WordPress activity logging to track shortcode creation and modification events by contributor-level users
- Configure real-time alerting for CSP violation reports that may indicate XSS exploitation attempts
- Regularly audit pages using wpdm_members shortcodes for suspicious content in the sid parameter
- Monitor for unusual session activity following visits to Download Manager-enabled pages
How to Mitigate CVE-2026-5357
Immediate Actions Required
- Update the Download Manager plugin to version 3.3.53 or later immediately
- Audit existing pages and posts for any wpdm_members shortcodes with suspicious sid parameter values
- Review the wp_postmeta database table for any stored XSS payloads and remove malicious entries
- Consider temporarily restricting contributor-level user permissions until the patch is applied
Patch Information
The vulnerability has been addressed by the plugin developers. Review the WordPress changeset for details on the fix implementation. The patch properly sanitizes the sid parameter input and applies esc_attr() escaping when outputting the value in HTML contexts.
Additional information is available in the Wordfence vulnerability report.
Workarounds
- Temporarily disable the Download Manager plugin if immediate patching is not possible
- Remove or restrict the use of the wpdm_members shortcode across all pages and posts
- Implement a Web Application Firewall rule to block requests containing potential XSS payloads in shortcode parameters
- Revoke contributor-level access temporarily or limit user capabilities to prevent new content creation
# WordPress CLI command to search for potentially malicious shortcodes
wp db query "SELECT post_id, meta_value FROM wp_postmeta WHERE meta_key LIKE '%wpdm%' AND meta_value LIKE '%script%'" --allow-root
# Temporarily deactivate the plugin via WP-CLI
wp plugin deactivate download-manager --allow-root
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
