CVE-2025-4367 is a stored cross-site scripting (XSS) vulnerability identified in the codename065 Download Manager plugin for WordPress, affecting all versions up to and including 3.3.18. The vulnerability is due to improper neutralization of script-related HTML tags (CWE-80) within the plugin's wpdm_user_dashboard shortcode. Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes before rendering them on pages. This flaw allows authenticated attackers with author-level privileges or higher to inject arbitrary JavaScript code into pages that are stored persistently. When other users access these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or unauthorized actions within the WordPress site. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network (remote), low attack complexity, privileges required at the author level, no user interaction needed, and a scope change affecting confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk in multi-user WordPress environments where authors can contribute content. The root cause lies in insufficient input validation and output encoding in the plugin’s code, a common issue in web applications that handle user-generated content. Since the plugin is widely used for managing downloads on WordPress sites, the vulnerability could be leveraged to compromise site visitors or administrators if exploited.

The impact of CVE-2025-4367 can be substantial for organizations using the affected Download Manager plugin on WordPress sites, especially those with multiple authors or contributors. Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the vulnerable site, leading to potential session hijacking, theft of sensitive information, unauthorized actions performed on behalf of other users, and defacement or redirection attacks. This compromises both the confidentiality and integrity of the affected website and its users. While availability is not directly impacted, the trustworthiness and security posture of the site can be severely damaged. For organizations relying on WordPress for content management, e-commerce, or customer engagement, such an attack could result in reputational damage, data breaches, and compliance violations. The requirement for author-level privileges limits exploitation to insiders or compromised accounts, but this is a realistic threat in many collaborative environments. The vulnerability also poses risks to site visitors who may unknowingly execute malicious scripts, potentially leading to broader attacks such as credential theft or malware distribution.

To mitigate CVE-2025-4367, organizations should first update the codename065 Download Manager plugin to a patched version once available, as no patch links are currently provided but monitoring vendor updates is critical. Until a patch is released, restrict author-level and higher privileges to trusted users only, minimizing the risk of malicious script injection. Implement additional input validation and output encoding at the application or web server level, such as using a Web Application Firewall (WAF) with rules targeting stored XSS patterns in WordPress plugins. Regularly audit user-generated content for suspicious scripts or anomalies, and employ security plugins that can detect and sanitize malicious inputs. Educate content authors about the risks of injecting untrusted code and enforce the principle of least privilege. Additionally, enable Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. Monitor logs and user behavior for signs of exploitation attempts. Finally, maintain regular backups and have an incident response plan ready to address any compromise swiftly.