CVE-2026-1666 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the codename065 Download Manager plugin for WordPress, affecting all versions up to and including 3.3.46. The vulnerability stems from improper neutralization of input during web page generation, specifically due to insufficient sanitization and output escaping of the 'redirect_to' GET parameter used in the login form shortcode. Because this parameter is directly reflected in the page output without adequate filtering, an attacker can craft a malicious URL containing JavaScript payloads. When a user clicks such a link, the injected script executes in the context of the victim's browser, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The attack does not require any authentication but does require user interaction (clicking the malicious link). The vulnerability has a CVSS 3.1 score of 6.1, indicating medium severity with a network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The scope is changed (S:C) because the vulnerability affects resources beyond the vulnerable component, such as user sessions or other site data. Currently, there are no known exploits in the wild, but the presence of this vulnerability in a widely used WordPress plugin poses a significant risk. The plugin is commonly used to manage downloadable content on WordPress sites, which are prevalent across many sectors. The vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions and data. Exploitation could allow attackers to hijack user sessions, steal credentials, or perform phishing attacks by injecting malicious scripts into login forms. This is particularly concerning for organizations relying on WordPress sites with public-facing login forms, such as e-commerce platforms, government portals, and service providers. The reflected XSS can also facilitate further attacks like malware distribution or unauthorized actions performed on behalf of users. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. Organizations with high volumes of user interactions on affected sites are at greater risk. The medium CVSS score reflects the need for timely mitigation to prevent exploitation, especially since no authentication is required and the attack surface is broad due to the network vector. The absence of known exploits in the wild reduces immediate urgency but does not eliminate the threat, as attackers often develop exploits rapidly after disclosure.

1. Monitor the codename065 plugin repository and official channels for a security patch and apply it immediately upon release. 2. Until a patch is available, implement manual input validation and output escaping on the 'redirect_to' parameter within the plugin code or via web application firewall (WAF) rules to block or sanitize malicious payloads. 3. Employ a robust WAF with specific rules to detect and block reflected XSS attempts targeting the 'redirect_to' parameter. 4. Educate users and administrators to be cautious about clicking on suspicious links, especially those that include unusual URL parameters. 5. Conduct regular security audits and penetration tests focusing on input validation and output encoding in WordPress plugins. 6. Consider temporarily disabling or restricting access to the login form shortcode that uses the vulnerable parameter if feasible. 7. Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. 8. Maintain up-to-date backups and incident response plans to quickly recover in case of compromise. 9. Review and tighten user session management to detect and prevent session hijacking attempts. 10. For organizations with high-risk profiles, consider isolating critical WordPress instances or using reverse proxies to add additional security layers.