Medium severity4.4NVD Advisory· Published Jan 17, 2026· Updated Apr 15, 2026
CVE-2025-14632
CVE-2025-14632
Description
The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.2.11
Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/browser/filr-protection/tags/1.2.10/src/class-filr-uploader.phpnvd
- plugins.trac.wordpress.org/browser/filr-protection/trunk/src/class-filr-uploader.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/c16c3a8d-bae1-4729-86c8-ec13481ff187nvd
News mentions
0No linked articles in our index yet.