EIP-2026-113690

PRE-CVE

WordPress Plugin Download Manager Free 2.7.94 & Pro 4 - (Authenticated) Persistent Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113690. PoCs published by Filippos Mastrogiannis.

AI-analyzed exploit summary This is a technical writeup describing a stored XSS vulnerability in WordPress Download Manager Free 2.7.94 & Pro 4. The vulnerability allows authenticated users to inject malicious code via the filename of an uploaded file, which executes when an admin edits the download package.

Description

WordPress Plugin Download Manager Free 2.7.94 & Pro 4 - (Authenticated) Persistent Cross-Site Scripting

Exploits (1)

exploitdb WRITEUP

by Filippos Mastrogiannis · textwebappsphp

https://www.exploit-db.com/exploits/37622

View Code ZIP pw:eip

This is a technical writeup describing a stored XSS vulnerability in WordPress Download Manager Free 2.7.94 & Pro 4. The vulnerability allows authenticated users to inject malicious code via the filename of an uploaded file, which executes when an admin edits the download package.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Download Manager Free 2.7.94 & Pro 4

Auth required

Prerequisites: Authenticated user access to WordPress Download Manager

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026