CVE-2025-10146 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Download Manager plugin for WordPress developed by codename065. This vulnerability affects all versions up to and including 3.3.23. The root cause is insufficient input sanitization and output escaping of the 'user_ids' parameter, which allows unauthenticated attackers to inject arbitrary JavaScript code into web pages generated by the plugin. When a victim user is tricked into clicking a crafted link containing malicious script payloads in the 'user_ids' parameter, the injected script executes in the context of the victim's browser. This can lead to theft of session cookies, user impersonation, redirection to malicious sites, or other malicious actions that compromise confidentiality and integrity of user data. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact on confidentiality and integrity is low, with no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. However, given the widespread use of WordPress and the popularity of the Download Manager plugin, this vulnerability poses a tangible risk if exploited.

For European organizations, this vulnerability presents a moderate risk primarily to websites using the affected Download Manager plugin on WordPress. Exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, or distribution of malware via injected scripts. This can compromise user data confidentiality and trust in the affected websites, potentially leading to reputational damage and regulatory scrutiny under GDPR if personal data is exposed. Organizations relying on this plugin for document or file management may face operational disruptions if users are targeted by phishing campaigns leveraging this XSS flaw. While the vulnerability does not directly impact availability, the indirect effects such as loss of customer trust and potential legal consequences can be significant. The requirement for user interaction (clicking a malicious link) means social engineering is necessary, but the lack of authentication requirement lowers the barrier for attackers. European organizations with public-facing WordPress sites using this plugin should consider this a medium priority threat.

1. Immediate mitigation should include disabling or removing the Download Manager plugin until a vendor patch is released. 2. If removal is not feasible, implement Web Application Firewall (WAF) rules to detect and block suspicious requests containing malicious payloads in the 'user_ids' parameter. 3. Educate users and administrators about the risks of clicking untrusted links, especially those that appear to interact with the affected website. 4. Monitor web server logs for unusual query strings targeting the 'user_ids' parameter to detect potential exploitation attempts. 5. Apply Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected sites. 6. Once available, promptly apply official patches or updates from codename065 addressing this vulnerability. 7. Conduct regular security assessments and penetration tests focusing on input validation and output encoding in all web-facing components. 8. Consider implementing multi-factor authentication and session management best practices to reduce impact if session tokens are compromised.