CVE-2026-1666
Reflected XSS in WordPress Download Manager Plugin
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdownloadmanager | download_manager | to 3.3.46 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Download Manager plugin for WordPress is a Reflected Cross-Site Scripting (XSS) issue. It occurs via the 'redirect_to' parameter in the login form shortcode in all versions up to and including 3.3.46. This happens because the plugin does not properly sanitize or escape the input from the 'redirect_to' GET parameter. As a result, an unauthenticated attacker can inject arbitrary web scripts that execute in the context of a userβs browser if the user is tricked into clicking a malicious link.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in your users' browsers without authentication. Such scripts could steal sensitive information like cookies or session tokens, perform actions on behalf of the user, or redirect users to malicious sites. Since the attack relies on tricking users into clicking crafted links, it can lead to phishing, session hijacking, or other malicious activities that compromise user security and trust.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the Download Manager WordPress plugin affecting the 'redirect_to' GET parameter in the login form shortcode. Detection typically involves identifying attempts to inject malicious scripts via this parameter.
To detect exploitation attempts on your network or system, you can monitor HTTP requests to the login form URL for suspicious or encoded script payloads in the 'redirect_to' parameter.
- Use web server logs or network monitoring tools to search for requests containing 'redirect_to' parameters with suspicious content, for example:
- grep -i 'redirect_to=' /var/log/apache2/access.log | grep -E '(%3Cscript|<script|\u003cscript)'
- Use intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect reflected XSS payloads targeting the 'redirect_to' parameter.
- Manually test the login form by sending crafted URLs with script tags in the 'redirect_to' parameter to see if the script executes, e.g., accessing: https://your-site.com/login?redirect_to=<script>alert(1)</script>
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the Download Manager WordPress plugin to a version later than 3.3.46 where the vulnerability is fixed.
- If an update is not immediately possible, implement web application firewall (WAF) rules to block or sanitize requests containing suspicious scripts in the 'redirect_to' parameter.
- Restrict or monitor access to the login form URL to reduce exposure to unauthenticated attackers.
- Educate users to avoid clicking on suspicious links that may exploit this reflected XSS vulnerability.
- Consider disabling or restricting the use of the vulnerable login form shortcode until a patch is applied.