Download Manager WordPress Plugin Stored Cross-Site Scripting Vulnerability
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because wp_kses_post filters post content on save for users without unfiltered_html, only kses-allowed tag and attribute payloads that survive save-time filtering will reach the unescaped sink; however, the sink itself remains unsafe and such payloads can still execute in the browser when a user renders the shortcode.
Quick answer
Download Manager should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Download Manager up to and including 3.3.61
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Download Manager is affected by CVE-2026-14343. Vulnerable versions up to 3.3.61 allow stored cross-site scripting: contributor-level users can inject script through note_before and note_after shortcode attributes. Patch or disable the plugin, then clean stored content and review administrator sessions.
- Inventory all WordPress sites using Download Manager.
- Update Download Manager beyond 3.3.61 when a vendor-fixed release is available.
- Disable the plugin temporarily if patching is delayed and the affected workflow is reachable.
- Review shortcode attributes, form submissions, merge fields, blocks, and plugin records for stored script payloads.
- Remove malicious content and purge WordPress, object, page, and CDN caches.
- Apply a Content Security Policy where compatible to reduce XSS impact.
- Review administrator sessions and reset credentials if privileged users interacted with injected content.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Download Manager is no longer running version 3.3.61 or older.
- Submit harmless script-like input in staging and confirm it is rejected or escaped on output.
- Open affected pages or admin lookup flows and confirm no stored script executes.
- Review rendered HTML for unsafe unescaped plugin attributes.
- Run a Fixnx scan and verify public WordPress exposure after cleanup.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-14343?
Download Manager versions listed as affected should be reviewed: Download Manager up to and including 3.3.61.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
