The Wordfence Threat Intelligence team identified a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.
All WordFence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.
The developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.