CVE-2019-15889

MEDIUM NUCLEI

WordPress Download Manager < 2.9.94 - Cross-Site Scripting via Category Shortcode Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-15889. PoCs published by MgThuraMoeMyint. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in WordPress Download Manager plugin version 2.9.93. The vulnerability is triggered by injecting malicious scripts into the 'orderby' parameter in category short-code URLs or the advanced search feature.

Description

The download-manager plugin before 2.9.94 for WordPress has XSS via the category shortcode feature, as demonstrated by the orderby or search[publish_date] parameter.

Exploits (1)

exploitdb WORKING POC
by MgThuraMoeMyint · textwebappsphp
https://www.exploit-db.com/exploits/47350

This exploit demonstrates a reflected XSS vulnerability in WordPress Download Manager plugin version 2.9.93. The vulnerability is triggered by injecting malicious scripts into the 'orderby' parameter in category short-code URLs or the advanced search feature.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WordPress Download Manager 2.9.93
No auth needed
Prerequisites: Access to a vulnerable WordPress site with the Download Manager plugin installed
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress Download Manager <2.9.94 - Cross-Site Scripting
MEDIUMby daffainfo

References (7)

Core 7
Core References
Product, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/download-manager/#developers
Exploit, Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9257
Third Party Advisory x_refsource_misc
https://www.cybersecurity-help.cz/vdb/SB2019041819
Patch, Third Party Advisory x_refsource_misc
https://plugins.trac.wordpress.org/changeset/2070388/download-manager

Scores

CVSS v3 6.1
EPSS 0.1253
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
w3eden/download_manager < 2.9.94
Published Sep 03, 2019
Tracked Since Feb 18, 2026