CVE-2024-54206

Vulnerability

The Z-Downloads plugin for WordPress (versions up to and including 1.11.7) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows attackers with contributor-level access or higher to inject malicious scripts that are stored and executed when other users view the affected pages. The vulnerability exists in the plugin's handling of shortcode attributes or other input fields that are not sanitized before output.

Exploitation

An attacker must have at least Contributor-level access to the WordPress site. They can craft a malicious payload, such as a JavaScript snippet, and inject it into a vulnerable input field (e.g., a shortcode parameter or file description). When an administrator or other user visits the page containing the injected content, the script executes in their browser context. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data (e.g., cookies, authentication tokens), or further administrative actions if the victim is a privileged user. The attack is stored, meaning the malicious script persists and affects all subsequent visitors.

Mitigation

The vulnerability is fixed in version 1.12.1 of the Z-Downloads plugin, released on November 4, 2025 [1]. Users should update to this version or later immediately. No workarounds are documented. The plugin is available from the WordPress plugin repository. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.