We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Simple Download Counter Plugin Vulnerability (CVE-2026-4278)

Nick Paliughi
On this page

Security Alert Summary

The Simple Download Counter plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its sdc_menu shortcode. Insufficient input sanitization and output escaping of shortcode attributes allows authenticated users with Contributor-level access and above to inject HTML or JavaScript that can execute when a page with the injected shortcode is viewed.

CVE Details

  • CVE ID: CVE-2026-4278
  • Affected component: Simple Download Counter plugin for WordPress (the sdc_menu shortcode)
  • Affected versions: all versions up to, and including, 2.3
  • Published / Last modified: March 26, 2026 at 05:16:39 AM UTC
  • CVSS v3.1: Base Score 6.4 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges / User interaction: Exploitation requires an authenticated user with low privileges (Contributor-level access and above). No user interaction is required once malicious content is present (UI:N).
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)

Technical Details

The vulnerability is a stored cross-site scripting issue in the plugin’s sdc_menu shortcode. The plugin fails to properly sanitize and escape user-supplied shortcode attributes. Specifically, the text attribute is output directly into HTML content on line 159 without an escaping function such as esc_html(), and the cat attribute is inserted into HTML class attributes on lines 135 and 157 without esc_attr(). These unescaped attribute values allow an authenticated user with Contributor-level privileges or higher to inject HTML or JavaScript into pages where the shortcode is used. When a visitor or site user views a page containing the injected content, the script can execute in their browser context.

The code locations referenced in the public analysis point to the exact lines where the attributes are output unescaped. The root cause is missing input sanitization on shortcode attributes and missing output escaping in the shortcode rendering functions.

How This Could Impact Your Website

Consider a site with multiple user roles: a site owner, internal editors, and external contributors. A contributor could add or edit content containing the vulnerable sdc_menu shortcode and include a crafted text or cat attribute value that carries script code. When an editor or a site visitor opens the page, that script could run in the context of their browser.

Practical consequences grounded in the reported impact include exposure of user-specific data visible in the page (confidentiality impact: low) and modification of page content or user-visible elements (integrity impact: low). Such injected scripts can be used to harvest visible email addresses or session-visible data and increase the risk of targeted phishing or social-engineering attacks against staff or contributors. The issue does not, based on the provided data, indicate direct full-site takeover or availability disruption.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor accounts with content-editing rights.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and content changes for unusual behavior, including unexpected shortcode attribute values in posts or pages.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: BWL Advanced FAQ Manager Lite Vulnerability (CVE-2026-4075)
Next Post
WordPress Security Bulletin: Blackhole for Bad Bots Plugin Vulnerability (CVE-2026-4329)