{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4278", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T15:27:01.754Z", "datePublished": "2026-03-26T03:37:29.245Z", "dateUpdated": "2026-04-08T17:32:37.077Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:37.077Z"}, "affected": [{"vendor": "specialk", "product": "Simple Download Counter", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f23dec73-9031-4829-a84b-4979c8e8ded4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L159"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L159"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L157"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L157"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L92"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487364%40simple-download-counter&new=3487364%40simple-download-counter&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-03-16T17:45:27.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4278", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:35:37.193174Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:51:15.886Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4278", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:35:37.193174Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:48:18.082Z"}}], "cna": {"title": "Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "specialk", "product": "Simple Download Counter", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-16T17:45:27.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f23dec73-9031-4829-a84b-4979c8e8ded4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L159"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L159"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L135"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L157"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L157"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L92"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487364%40simple-download-counter&new=3487364%40simple-download-counter&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:37.077Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4278", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:37.077Z", "dateReserved": "2026-03-16T15:27:01.754Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T03:37:29.245Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Simple Download Counter para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode 'sdc_menu' en todas las versiones hasta la 2.3, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos de shortcode proporcionados por el usuario, espec\u00edficamente los atributos 'text' y 'cat'. El atributo 'text' se env\u00eda directamente al contenido HTML en la l\u00ednea 159 sin ning\u00fan escape (p. ej., esc_html()). El atributo 'cat' se utiliza sin escape en los atributos de clase HTML en las l\u00edneas 135 y 157 sin esc_attr(). Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-4278", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-26T05:16:39.917", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L135"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L157"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L159"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/tags/2.3/inc/functions-shortcode.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L135"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L157"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L159"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-download-counter/trunk/inc/functions-shortcode.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487364%40simple-download-counter&new=3487364%40simple-download-counter&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f23dec73-9031-4829-a84b-4979c8e8ded4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Simple Download Counter", "source": "cna", "vendor": "specialk"}, "product": "simple_download_counter", "vendor": "specialk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T06:21:19.901018+00:00", "value": {"mitigation_remediation": ["Update the Simple Download Counter plugin to a version newer than 2.3 that includes the fix.", "If an update cannot be performed immediately, remove the plugin or disable the sdc_menu shortcode from publicly accessible pages.", "Limit Contributor and higher privileges to trusted users or temporarily revoke contributor rights while the issue is resolved."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress installations running the Simple Download Counter plugin version 2.3 or earlier are affected. The vulnerability applies to all releases up to and including 2.3 and requires the attacker to have at least Contributor level privileges to edit or create content that uses the vulnerable shortcode.", "description_and_impact": "The Simple Download Counter WordPress plugin contains a stored XSS weakness that arises when the 'text' and 'cat' attributes of the sdc_menu shortcode are not sanitized or escaped before being written to the page. An attacker who can add or edit content and has Contributor level access can supply malicious JavaScript that is injected directly into the HTML of any post, page, or widget containing the shortcode, causing the script to run in the browsers of all visitors that view the page. This does not grant direct server access but enables client\u2011side attacks such as phishing or cookie theft for any user who loads the affected content.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. Exploitation requires authenticated access, specifically Contributors or higher, which limits the potential attacker pool. The flaw is not listed in CISA\u2019s KEV catalog and no EPSS score is available, but any user who views an affected page could be exposed to arbitrary script execution."}}}}, "created": "2026-03-26T11:30:36.331239+00:00", "updated": "2026-03-26T12:08:36.359444+00:00", "vendors": ["specialk", "specialk$PRODUCT$simple_download_counter", "wordpress", "wordpress$PRODUCT$wordpress"]}