Stored Cross-Site Scripting Vulnerability in Download Manager Plugin for WordPress
CVE-2025-3056

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Download Manager
Vendor: CVE Published:; 18 April 2025

Summary

The Download Manager plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping. This flaw allows authenticated attackers with Author-level access and higher to upload SVG files containing malicious web scripts. When users access these SVG files, the injected scripts can execute, potentially compromising user data and site security. All versions up to and including 3.3.12 are impacted, necessitating immediate attention to patch and secure affected installations.

References

https://plugins.trac.wordpress.org/changeset/3275196/

https://wordpress.org/plugins/download-manager/#developers

https://www.wordfence.com/threat-intel/vulnerabilities/id...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 18, 2025