CVE-2025-5034 PUBLISHED

WP File Download < 6.2.6 - Reflected XSS

Assigner: WPScan
Reserved: 21.05.2025 Published: 21.06.2025 Updated: 21.06.2025

The wp-file-download WordPress plugin before 6.2.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

Product Status

Vendor	Unknown
Product	wp-file-download
Versions	Default: unaffected affected from 0 to 6.2.6 (excl.)

Credits

Kevin Camus finder
WPScan coordinator

References

https://wpscan.com/vulnerability/ebd9aa9f-3da9-4457-922f-975bef6e33f8/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE