Description
The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type.
Published: 2026-01-17
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The Filr – Secure document library plugin for WordPress allows an authenticated attacker with Administrator‑level or higher privileges to upload arbitrary files through its FILR_Uploader component. Because the upload path accepts any file type without proper validation, the plugin stores the uploaded content as is. An attacker can upload a malicious HTML file containing embedded JavaScript; when any user with permission to edit or create posts of the 'filr' post type accesses that file, the script executes within their browser context, potentially exfiltrating data or facilitating further attacks. This represents a stored XSS vulnerability (CWE‑434) that can compromise the confidentiality and integrity of the site’s users.

Affected Systems

The vulnerability occurs in all releases of the Filr – Secure document library plugin up to and including version 1.2.11. The affected product is the WordPress plugin known as Filr – Secure document library, created by wpchill. No other vendor or product versions are listed as affected.

Risk and Exploitability

The CVSS v3.1 score of 4.4 indicates a moderate severity. The EPSS score of less than 1 % suggests that, at the time of assessment, the probability of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw only requires legitimate administrator credentials, it is accessible to users who legitimately have such privileges. If such accounts are compromised or if the plugin’s permission checks are inadequate, an attacker could deploy cross‑site scripting attacks on any user who interacts with the uploaded malicious file.

Generated by OpenCVE AI on April 21, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Filr – Secure document library to the latest release (1.2.12 or newer) which includes proper file‑type validation.
  • If an upgrade is not immediately possible, configure the web server or a security plugin to reject uploads with a .html (or .htm) extension or other non‑image file types for this plugin and remove the ability to edit the 'filr' post type via the uploader.
  • Limit the number of users with Administrator or higher privileges, audit those accounts for compromise, and monitor for any unexpected use of the plugin’s upload feature.

Generated by OpenCVE AI on April 21, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type.
Title Filr – Secure document library <= 1.2.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via HTML Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:52.774Z

Reserved: 2025-12-12T22:06:42.902Z

Link: CVE-2025-14632

cve-icon Vulnrichment

Updated: 2026-01-20T18:45:22.442Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T03:16:03.527

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:30:22Z

Weaknesses