CVE-2026-49112
Description
Unauthenticated path traversal in WordPress Shared Files plugin <=1.7.64 allows attackers to read arbitrary files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated path traversal in WordPress Shared Files plugin <=1.7.64 allows attackers to read arbitrary files.
Vulnerability
The Shared Files plugin for WordPress (versions up to and including 1.7.64) contains an unauthenticated path traversal vulnerability. This flaw allows attackers to access files outside the intended directory by manipulating file paths in HTTP requests. [1]
Exploitation
An unauthenticated attacker can exploit this by sending a crafted request containing path traversal sequences (e.g., ../). No authentication or user interaction is required. [1]
Impact
Successful exploitation allows reading arbitrary files on the server, including sensitive configuration files such as wp-config.php, which may contain database credentials. This can lead to full site compromise. [1]
Mitigation
Update to version 1.7.65 or later. If update is not immediately possible, apply a mitigation rule (e.g., from Patchstack) or consult hosting provider. This vulnerability is expected to be actively exploited. [1]
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<= 1.7.64+ 1 more
- (no CPE)range: <= 1.7.64
- (no CPE)range: <=1.7.64
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)Wordfence Blog · Jun 11, 2026