CVE-2024-1766
Description
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with the injected payload for execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WordPress Download Manager plugin via user Display Name allows authenticated attackers with subscriber-level access to inject scripts, requiring social engineering.
Vulnerability
The Download Manager plugin for WordPress (versions up to and including 3.2.86) contains a stored cross-site scripting vulnerability in the handling of user Display Names. The plugin fails to properly sanitize input and escape output when displaying a user's Display Name, allowing authenticated users with subscriber-level access or higher to inject arbitrary web scripts. The vulnerability is present in all versions up to 3.2.86 [1].
Exploitation
An attacker must have at least subscriber-level access to the WordPress site. The attacker changes their Display Name to include a malicious script (e.g., JavaScript). The attacker then must socially engineer a victim to log in as the attacker's account (the account with the injected payload) for the script to execute. The script will run when the victim accesses a page that displays the attacker's Display Name, such as a download page authored by the attacker.
Impact
Successful exploitation allows the attacker to inject arbitrary web scripts that execute in the context of the victim's browser. However, the impact is very limited because the attacker must trick a user into logging in as the attacker's account for the script to trigger. The attacker could potentially perform actions such as stealing session cookies or redirecting the user, but the requirement significantly reduces the likelihood of successful exploitation.
Mitigation
The vulnerability is fixed in version 3.2.87 and later. Users should update the Download Manager plugin to the latest version (3.3.55 as of this writing) to remediate the issue. No workarounds are available; updating is the recommended action.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=3.2.86+ 1 more
- (no CPE)range: <=3.2.86
- (no CPE)range: <=3.2.86
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.