EIP-2026-114028

PRE-CVE

WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-114028. PoCs published by Mr Winst0n.

AI-analyzed exploit summary This exploit demonstrates a stored Cross-Site Scripting (XSS) vulnerability in the WordPress Sell Downloads plugin version 1.0.86. The PoC involves injecting malicious JavaScript via the 'Add Comment' feature, which executes when the product page is viewed.

Description

WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting

Exploits (1)

exploitdb WORKING POC

by Mr Winst0n · textwebappsphp

https://www.exploit-db.com/exploits/47369

View Code ZIP pw:eip

This exploit demonstrates a stored Cross-Site Scripting (XSS) vulnerability in the WordPress Sell Downloads plugin version 1.0.86. The PoC involves injecting malicious JavaScript via the 'Add Comment' feature, which executes when the product page is viewed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Sell Downloads 1.0.86

Auth required

Prerequisites: Access to WordPress admin panel · Sell Downloads plugin version 1.0.86 installed

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026