CVE-2026-1666
Description
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in WordPress Download Manager plugin via unsanitized redirect_to parameter in login form shortcode, allowing unauthenticated script injection.
The Download Manager plugin for WordPress versions up to 3.3.46 contains a Reflected Cross-Site Scripting (XSS) vulnerability in the login form shortcode [wpdm_login_form]. The 'redirect_to' GET parameter is not properly sanitized or escaped, allowing injected scripts to be reflected in the page. The official documentation shows that the 'redirect' parameter accepts a URL to redirect users after login, but the plugin fails to validate or sanitize this input [1].
Exploitation requires no authentication; any unauthenticated attacker can craft a malicious link with a 'redirect_to' parameter containing JavaScript. The attack depends on social engineering — the victim must click the crafted link. This type of attack is often delivered via phishing emails or forum posts. The parameter is processed server-side and reflected, executing the script in the user's browser context [1].
Successful exploitation leads to arbitrary script execution in the victim's browser session, enabling cookie theft, session hijacking, redirection to malicious sites, or defacement of the page. Because the vulnerability is reflected, impact is limited to users who interact with the malicious link.
Users should update to version 3.3.47 or later once available. As of the publication date, the vendor was notified and a fix should be forthcoming. Until patched, avoid clicking untrusted links that involve the login form and consider using a Web Application Firewall (WAF) to block malicious query strings.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=3.3.46
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/Login.phpnvd
- plugins.trac.wordpress.org/browser/download-manager/tags/3.3.46/src/User/views/login-form.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/3cb84ba3-b403-4a9d-b1a7-92aa947310acnvd
- www.wpdownloadmanager.com/doc/short-codes/wpdm_login_form-user-login-form-short-code/nvd
News mentions
0No linked articles in our index yet.