Description
The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via html File uploads in all versions up to, and including, 1.7.48 due to insufficient input sanitization and output escaping within the sanitize_file() function. This makes it possible for unauthenticated attackers to bypass the plugin’s MIME-only checks and inject arbitrary web scripts in pages that will execute whenever a user accesses the html file.
Published: 2025-06-03
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS that allows arbitrary script execution in users’ browsers
Action: Immediate Patch
AI Analysis

Impact

The Shared Files – Frontend File Upload Form & Secure File Sharing WordPress plugin accepts HTML file uploads without properly sanitizing user content before storing or serving the file. As a result, an attacker can upload a maliciously crafted HTML file that contains executable scripts. When any visitor opens the file, the embedded script runs in their browser, creating a classic stored Cross‑Site Scripting attack. This can lead to session hijacking, credential theft, defacement of the site, or delivery of more sophisticated malware payloads.

Affected Systems

All WordPress sites that have installed anssilaitila:Shared Files – Frontend File Upload Form & Secure File Sharing plugin version 1.7.48 or earlier are vulnerable. The flaw exists in every version up to and including 1.7.48, regardless of configuration, because the sanitize_file() function fails to encode or escape HTML contents before saving the file.

Risk and Exploitability

The CVSS score of 7.2 reflects a high severity from a technical standpoint, while the EPSS score of less than 1% indicates that the likelihood of exploitation is currently low. The vulnerability is not documented in the CISA KEV catalog, so no widespread exploitation has been reported. An attacker needs only unauthenticated access to the public upload form to create a malicious HTML file; any subsequent visitor to that file will trigger the stored XSS. The lack of authentication requirement and the ubiquitous nature of the upload feature make the attack vector simple and the impact potentially widespread across the site’s audience.

Generated by OpenCVE AI on April 22, 2026 at 01:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Shared Files plugin to a version newer than 1.7.48
  • If a new version is not yet available, disable the file‑upload feature or uninstall the plugin entirely
  • Configure a web application firewall to block or escape HTML content in uploaded files and strip out script tags
  • Check the site’s uploads directory for malicious HTML files and delete any that have been found

Generated by OpenCVE AI on April 22, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16717 The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via html File uploads in all versions up to, and including, 1.7.48 due to insufficient input sanitization and output escaping within the sanitize_file() function. This makes it possible for unauthenticated attackers to bypass the plugin’s MIME-only checks and inject arbitrary web scripts in pages that will execute whenever a user accesses the html file.
History

Tue, 03 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Jun 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via html File uploads in all versions up to, and including, 1.7.48 due to insufficient input sanitization and output escaping within the sanitize_file() function. This makes it possible for unauthenticated attackers to bypass the plugin’s MIME-only checks and inject arbitrary web scripts in pages that will execute whenever a user accesses the html file.
Title Shared Files <= 1.7.48 - Unauthenticated Stored Cross-Site Scripting via sanitize_file Function
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:52.331Z

Reserved: 2025-05-06T19:59:49.277Z

Link: CVE-2025-4392

cve-icon Vulnrichment

Updated: 2025-06-03T13:53:39.769Z

cve-icon NVD

Status : Deferred

Published: 2025-06-03T10:15:22.397

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')