CVE-2026-5357

Name of the Vulnerable Software and Affected Versions Download Manager plugin for WordPress versions up to and including 3.3.52

Description The Download Manager plugin for WordPress is susceptible to Stored Cross-Site Scripting through the sid parameter of the 'wpdm members' shortcode. This occurs because of inadequate input sanitization and output escaping of the user-supplied sid shortcode attribute. The sid parameter is extracted without sanitization within the members() function and stored using update post meta(), then directly echoed into an HTML id attribute in the members.php template without esc attr(). This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which will execute when a user accesses the affected page.

Recommendations Download Manager plugin for WordPress version 3.3.53 and later Disable the 'wpdm members' shortcode if it is not required Sanitize and escape the sid parameter before using it in the 'wpdm members' shortcode