CVE-2024-8284: 
WordPress vulnerability analysis and mitigation

The Download Manager WordPress plugin before version 3.2.99 contains a Cross-Site Scripting (XSS) vulnerability that was publicly disclosed on July 30, 2024. The vulnerability affects high-privilege users such as editors, allowing them to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disabled (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS 3.1 Base Score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The security flaw stems from insufficient sanitization and escaping of certain plugin settings in the Download Manager WordPress plugin (CISA-ADP, WPScan).

When exploited, this vulnerability enables high-privilege users to execute Cross-Site Scripting attacks. While the impact is somewhat constrained due to the requirement of high privileges, it can still result in the execution of malicious scripts in users' browsers when viewing affected pages (WPScan).

The vulnerability has been addressed in version 3.2.99 of the Download Manager WordPress plugin. Users are strongly recommended to update to this version or later to mitigate the security risk (WPScan).