Stored Cross-site Scripting Vulnerability in Shahjada Download Manager
CVE-2026-39615

5.9MEDIUM

Key Information:

Vendor: WordPress
Status: Download Manager
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-39615?

The Shahjada Download Manager plugin contains a vulnerability that permits stored cross-site scripting (XSS) attacks. This occurs due to improper neutralization of input data during web page generation, which allows attackers to inject malicious scripts that could be executed in the context of a user's browser session. This vulnerability affects multiple versions of the Download Manager, specifically from an unspecified version up to 3.3.53. Implementing appropriate sanitization and validation mechanisms for user inputs can help mitigate the risk associated with this issue.

Affected Version(s)

Download Manager 0 <= 3.3.53

References

https://patchstack.com/database/Wordpress/Plugin/download...

vdb-entry

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

hhhai | Patchstack Bug Bounty Program

CVE-2026-39615 Data

JSON