CVE-2025-5034: 
WordPress vulnerability analysis and mitigation

The wp-file-download WordPress plugin before version 6.2.6 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-5034. The vulnerability was discovered and disclosed on May 31, 2025, affecting the plugin's parameter handling functionality (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of a parameter before it is output back in the page. This security flaw has been classified under CWE-79 (Cross-Site Scripting) and received a CVSS v3.1 score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (Wiz).

When exploited, this vulnerability could allow attackers to execute arbitrary web scripts in the context of other users' browsers, potentially leading to session hijacking, credential theft, or other malicious actions when an administrator visits a specially crafted page (Wiz).

The vulnerability has been patched in version 6.2.6 of the wp-file-download plugin. Users are strongly advised to update to this version or later to protect against this security risk (Wiz).