CVE-2024-13799

Vulnerability

The User Private Files plugin for WordPress (versions up to and including 2.1.3) contains a Stored Cross-Site Scripting vulnerability in the new-fldr-name parameter. This parameter is part of the folder creation functionality, which takes a user-supplied folder name and stores it in the database. The plugin fails to properly sanitize input and escape output, allowing malicious scripts to be stored and executed later [1].

Exploitation

An authenticated attacker with Subscriber-level access or higher can exploit this vulnerability by creating a new folder with a crafted new-fldr-name parameter containing arbitrary JavaScript. When any administrator or other user accesses the page that displays the list of folders (such as the file manager or folder listing), the injected script will execute in their browser. No additional user interaction beyond viewing the affected page is required [1].

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS). The attacker can execute arbitrary web scripts in the context of the victim's session, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack can affect any user who views the folder list, including administrators, resulting in a compromise of the WordPress site's security [1].

Mitigation

The vulnerability is fixed in version 2.1.4 and later of the User Private Files plugin. The plugin's changelog indicates the fix was released after 2.1.3; the current version is 2.1.6 (last updated 2026-05-14). Users should update to at least version 2.1.4 immediately. If updating is not possible, consider disabling the plugin or restricting access to the folder creation functionality until a patch can be applied. No workarounds have been published in the referenced advisory [1].