CVE-2025-4367: 
WordPress vulnerability analysis and mitigation

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin's wpdmuserdashboard shortcode in versions up to and including 3.3.18. This vulnerability was discovered and disclosed in June 2025, and has been assigned CVE-2025-4367. The issue affects the WordPress plugin Download Manager and has been patched in version 3.3.19, released on June 18, 2025 (NVD, Wiz).

The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes in the wpdmuserdashboard shortcode. The security flaw has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (NVD).

The vulnerability allows authenticated attackers with author-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page, potentially leading to unauthorized data access or manipulation of user sessions (NVD, Wiz).

The vulnerability has been patched in version 3.3.19, released on June 18, 2025. Users are strongly advised to update to this version or later. The update includes improved sanitization of the image alt attribute in the wpdmthumb function ([WordPress Plugin](https://plugins.trac.wordpress.org/changeset?sfpemail=&sfphmail=&reponame=&new=3313608%40download-manager&old=3308801%40download-manager&sfpemail=&sfph_mail=)).