Shared Files
by WordPress
Source repositories
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-15433 | Med | 0.44 | 6.8 | 0.00 | Mar 26, 2026 | The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector | ||
| CVE-2026-49112 | Hig | 0.42 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions. | ||
| CVE-2025-4392 | Hig | 0.40 | 7.2 | 0.00 | Jun 3, 2025 | The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via html File uploads in all versions up to, and including, 1.7.48 due to insufficient input sanitization and output escaping within the… | ||
| CVE-2024-13504 | Hig | 0.40 | 7.2 | 0.00 | Jan 31, 2025 | The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dfxp File uploads in all versions up to, and including, 1.7.42 due to insufficient input sanitization and output escaping. This makes it… | ||
| CVE-2023-4819 | Med | 0.40 | 6.1 | 0.00 | Oct 16, 2023 | The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts. | ||
| CVE-2024-43230 | Med | 0.34 | 5.3 | 0.00 | Aug 26, 2024 | Insertion of Sensitive Information Into Sent Data vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.28. | ||
| CVE-2024-32679 | Med | 0.34 | 5.3 | 0.00 | Apr 23, 2024 | Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.16. | ||
| CVE-2021-24856 | Med | 0.31 | 4.8 | 0.01 | Nov 17, 2021 | The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed |
- risk 0.44cvss 6.8epss 0.00
The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector
- risk 0.42cvss 7.5epss 0.00
Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.
- risk 0.40cvss 7.2epss 0.00
The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via html File uploads in all versions up to, and including, 1.7.48 due to insufficient input sanitization and output escaping within the…
- risk 0.40cvss 7.2epss 0.00
The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dfxp File uploads in all versions up to, and including, 1.7.42 due to insufficient input sanitization and output escaping. This makes it…
- risk 0.40cvss 6.1epss 0.00
The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts.
- risk 0.34cvss 5.3epss 0.00
Insertion of Sensitive Information Into Sent Data vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.28.
- risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.16.
- risk 0.31cvss 4.8epss 0.01
The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed