CVE-2013-7319

Vulnerability

The Download Manager plugin for WordPress, versions before 2.5.9, is vulnerable to persistent (stored) cross-site scripting (XSS) in the title field when creating a new download package. The plugin fails to properly sanitize user-supplied input in the title field, allowing injection of arbitrary HTML and JavaScript [1][2][3].

Exploitation

An attacker with the ability to create or edit download packages (typically an authenticated user with author-level privileges or higher) can submit a crafted title containing malicious script, such as `` [3]. When any user views the download package or a page displaying that title, the script executes in their browser context.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's WordPress session. This can lead to session cookie theft, phishing, or other actions performed under the victim's identity and permissions [1][3]. The attack is persistent, affecting all future visitors of the compromised download package.

Mitigation

The vulnerability is fixed in version 2.5.9 of the Download Manager plugin [1]. Users should update to at least this version immediately. As of the available references, no other workarounds are documented; avoiding the use of the title field with untrusted input is not a practical workaround. The current plugin version as of 2026 is 3.3.55, indicating that the patched version has long since been available [2].