CVE-2026-1666
Received Received - Intake
Reflected XSS in WordPress Download Manager Plugin

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1666
EUVD
EUVD-2026-8084
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpdownloadmanager download_manager to 3.3.46 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Download Manager plugin for WordPress is a Reflected Cross-Site Scripting (XSS) issue. It occurs via the 'redirect_to' parameter in the login form shortcode in all versions up to and including 3.3.46. This happens because the plugin does not properly sanitize or escape the input from the 'redirect_to' GET parameter. As a result, an unauthenticated attacker can inject arbitrary web scripts that execute in the context of a user’s browser if the user is tricked into clicking a malicious link.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in your users' browsers without authentication. Such scripts could steal sensitive information like cookies or session tokens, perform actions on behalf of the user, or redirect users to malicious sites. Since the attack relies on tricking users into clicking crafted links, it can lead to phishing, session hijacking, or other malicious activities that compromise user security and trust.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the Download Manager WordPress plugin affecting the 'redirect_to' GET parameter in the login form shortcode. Detection typically involves identifying attempts to inject malicious scripts via this parameter.

To detect exploitation attempts on your network or system, you can monitor HTTP requests to the login form URL for suspicious or encoded script payloads in the 'redirect_to' parameter.

  • Use web server logs or network monitoring tools to search for requests containing 'redirect_to' parameters with suspicious content, for example:
  • grep -i 'redirect_to=' /var/log/apache2/access.log | grep -E '(%3Cscript|<script|\u003cscript)'
  • Use intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect reflected XSS payloads targeting the 'redirect_to' parameter.
  • Manually test the login form by sending crafted URLs with script tags in the 'redirect_to' parameter to see if the script executes, e.g., accessing: https://your-site.com/login?redirect_to=<script>alert(1)</script>
Mitigation Strategies

Immediate mitigation steps include:

  • Update the Download Manager WordPress plugin to a version later than 3.3.46 where the vulnerability is fixed.
  • If an update is not immediately possible, implement web application firewall (WAF) rules to block or sanitize requests containing suspicious scripts in the 'redirect_to' parameter.
  • Restrict or monitor access to the login form URL to reduce exposure to unauthenticated attackers.
  • Educate users to avoid clicking on suspicious links that may exploit this reflected XSS vulnerability.
  • Consider disabling or restricting the use of the vulnerable login form shortcode until a patch is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart