{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1666", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T21:27:40.418Z", "datePublished": "2026-02-18T06:42:40.614Z", "dateUpdated": "2026-04-08T16:47:31.489Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:31.489Z"}, "affected": [{"vendor": "codename065", "product": "Download Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.46", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb84ba3-b403-4a9d-b1a7-92aa947310ac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/Login.php#L137"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/views/login-form.php#L142"}, {"url": "https://www.wpdownloadmanager.com/doc/short-codes/wpdm_login_form-user-login-form-short-code/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455081%40download-manager%2Ftrunk&old=3440008%40download-manager%2Ftrunk&sfp_email=&sfph_mail=#file25"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Taylor"}], "timeline": [{"time": "2026-01-29T21:43:03.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T17:51:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T14:24:03.281854Z", "id": "CVE-2026-1666", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:29:56.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1666", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T14:24:03.281854Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:29:52.621Z"}}], "cna": {"title": "Download Manager <= 3.3.46 - Reflected Cross-Site Scripting via 'redirect_to' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Jack Taylor"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "codename065", "product": "Download Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.46"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-29T21:43:03.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T17:51:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb84ba3-b403-4a9d-b1a7-92aa947310ac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/Login.php#L137"}, {"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/views/login-form.php#L142"}, {"url": "https://www.wpdownloadmanager.com/doc/short-codes/wpdm_login_form-user-login-form-short-code/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455081%40download-manager%2Ftrunk&old=3440008%40download-manager%2Ftrunk&sfp_email=&sfph_mail=#file25"}], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:31.489Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1666", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:31.489Z", "dateReserved": "2026-01-29T21:27:40.418Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T06:42:40.614Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin Download Manager para WordPress es vulnerable a Cross-Site Scripting Reflejado a trav\u00e9s del par\u00e1metro 'redirect_to' en todas las versiones hasta la 3.3.46, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en el par\u00e1metro GET 'redirect_to' en el shortcode del formulario de inicio de sesi\u00f3n. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar con \u00e9xito a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1666", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T07:16:09.540", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/Login.php#L137"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/views/login-form.php#L142"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455081%40download-manager%2Ftrunk&old=3440008%40download-manager%2Ftrunk&sfp_email=&sfph_mail=#file25"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3cb84ba3-b403-4a9d-b1a7-92aa947310ac?source=cve"}, {"source": "security@wordfence.com", "url": "https://www.wpdownloadmanager.com/doc/short-codes/wpdm_login_form-user-login-form-short-code/"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.3.46]"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Download Manager", "source": "cna", "vendor": "codename065"}, "product": "download_manager_plugin", "vendor": "codename065"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 70.0, "confidence_source": "inferred", "scores": [{"score": 70.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:18:41.021872+00:00", "value": {"mitigation_remediation": ["Upgrade the Download Manager plugin to the latest version that removes the reflected XSS flaw.", "If upgrading is not immediately possible, remove or disable the login form shortcode that uses the redirect_to parameter, or modify the shortcode to use WordPress\u2019s secure redirect functions.", "If the shortcode must remain, add input validation to explicitly allow only safe URLs for redirect_to and escape all output before rendering the page."], "summary": {"action": "Patch Update", "impact": "Reflected Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the codename065 Download Manager plugin, specifically any version 3.3.46 or older.", "description_and_impact": "The Download Manager plugin is vulnerable to reflected cross\u2011site scripting in all releases up to 3.3.46 due to the lack of sanitization and escaping of the 'redirect_to' GET parameter on the login form shortcode. An unauthenticated attacker can embed arbitrary script content that is executed when a victim opens a crafted link, enabling cookie theft, defacement, or further exploitation of the victim's session.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1% suggests low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack requires only a malicious URL and an unsuspecting user to visit it, meaning it is exploitable in a web context without authentication. While the exploitation surface is limited to a single parameter, once a victim\u2019s browser processes the injected script the attacker gains the same privileges as the user, potentially compromising confidentiality and integrity of their session data."}}}}, "created": "2026-02-18T10:32:39.679541+00:00", "updated": "2026-04-15T18:30:10.935684+00:00", "vendors": ["codename065", "codename065$PRODUCT$download_manager_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}