cleantalk
Vulnerabilities and Security Researches

Download Manager, CVE-2026-1666

CVE, Research URL

CVE-2026-1666

Home page URL

Security reports for Download Manager

Application

Download Manager

Published on
Feb 18, 2026
Research Description
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 3.3.47.
Status
vulnerable
Previous vulnerability researches
GNA Search Shortcode (CVE-2025-46540) , Apr 26, 2025
New vulnerability
WP Accessibility (CVE-2026-2362) , Apr 15, 2026
Community Events (CVE-2026-2429) , Apr 15, 2026
3D FlipBook – PDF Flipbook WordPress (CVE-2026-1314) , Apr 15, 2026
Responsive Contact Form Builder & Lead Generation Plugin (CVE-2026-1454) , Apr 15, 2026
wpForo Forum (CVE-2026-1581) , Apr 15, 2026