CVE-2026-4278

Name of the Vulnerable Software and Affected Versions Simple Download Counter plugin for WordPress versions prior to 2.3

Description The Simple Download Counter plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'sdc menu' shortcode. This is a result of inadequate input sanitization and output escaping of user-provided shortcode attributes, specifically the text and cat attributes. The text attribute is directly included in HTML content without escaping, and the cat attribute is used unescaped in HTML class attributes. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the affected page.

Recommendations Update to a version newer than 2.3.