Z-Downloads < 1.11.6 - Unauthenticated Stored XSS
Description
The Z-Downloads WordPress plugin before 1.11.6 fails to sanitize output in share URLs, allowing unauthenticated stored XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Z-Downloads WordPress plugin before 1.11.6 fails to sanitize output in share URLs, allowing unauthenticated stored XSS.
Vulnerability
The Z-Downloads WordPress plugin before version 1.11.6 does not sanitize and escape some parameters when outputting them in the page, specifically within share URLs [1]. This allows unauthenticated visitors to inject arbitrary JavaScript code that is stored and executed when the share URL is accessed.
Exploitation
An attacker can craft a malicious share URL containing a JavaScript payload. No authentication is required to create or access such URLs. When an unauthenticated victim visits the crafted URL, the injected script executes in their browser context [1].
Impact
Successful exploitation results in stored Cross-Site Scripting (XSS). The attacker can execute arbitrary JavaScript in the victim's session, potentially leading to cookie theft, page defacement, or redirection to malicious sites.
Mitigation
The vulnerability is fixed in version 1.11.6 of the Z-Downloads plugin [1]. Users should update to this version immediately. No workarounds are documented in the available references.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.11.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/604e990e-9bec-469e-8630-605eea74e12c/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.