CVE-2026-39615
Received Received - Intake
Stored XSS in Shahjada Download Manager

Publication date: 2026-04-08

Last updated on: 2026-04-10

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Download Manager download-manager allows Stored XSS.This issue affects Download Manager: from n/a through <= 3.3.53.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39615
EUVD
EUVD-2026-20253
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shahjada download_manager to 3.3.53 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39615 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Download Manager Plugin versions up to and including 3.3.53.

This vulnerability allows an attacker to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into a website, which execute when visitors access the compromised site.

Exploitation requires user interaction by a privileged user (such as an author or developer) performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.

No official patch is currently available, and the affected plugin version remains vulnerable.

Mitigation Strategies

Immediate mitigation involves updating the Download Manager plugin once an official patch is released.

Until a patch is available, affected users should seek assistance from hosting providers or web developers to implement temporary safeguards.

Additionally, limiting privileged user interactions with untrusted content and monitoring for suspicious activity can reduce exploitation risk.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts on your website, potentially leading to unauthorized redirects, displaying unwanted advertisements, or other harmful HTML payloads.

Such attacks can compromise the user experience and trust in your website, and may be used in mass-exploit campaigns targeting many websites.

However, exploitation requires interaction by a privileged user, which limits the ease of attack.

The overall impact is considered low severity with a CVSS score of 5.9.

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) in the WordPress Download Manager plugin up to version 3.3.53. Detection typically involves identifying malicious script injections in web pages generated by the plugin.

Since exploitation requires user interaction by privileged users, monitoring for unusual or unexpected script content in pages generated by the plugin can help detect the issue.

No specific detection commands are provided in the available resources.

Compliance Impact

The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in the Download Manager plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39615. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart