Description
The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-16
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the File Sharing & Download Manager – User Private Files plugin for WordPress, where the 'fldr_ttl' parameter is stored without proper sanitization. An attacker with subscriber-level or higher access can place malicious script code in this field, which is then rendered on the page each time the folder is viewed. This results in arbitrary script execution in the context of any visitor to that page, potentially enabling session hijacking, keystroke logging, or defacement.

Affected Systems

All users running the Secure Client Portal and Private File Sharing Plugin – User Private Files plugin version 2.1.6 or older are affected. The vendor of the plugin is DeepakKite, and the issue specifically targets its file‑sharing module. Only the stated versions are impacted; newer releases beyond 2.1.6 are presumed to contain the fix.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need valid subscriber credentials to modify the folder title, so the exploit is limited to authenticated users with that role. Once injected, the malicious script executes in every user’s browser when the folder page is accessed, providing a persistent cross‑site scripting vector.

Generated by OpenCVE AI on June 16, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 2.1.7 or later, which contains the input sanitization fix.
  • If an update is not immediately possible, restrict or remove the subscriber role’s ability to edit folder titles, or disable the plugin entirely.
  • Apply a strict Content Security Policy that blocks inline scripts to mitigate any remaining XSS impact.

Generated by OpenCVE AI on June 16, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title File Sharing & Download Manager <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'fldr_ttl' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-16T12:19:55.116Z

Reserved: 2026-05-29T13:38:49.522Z

Link: CVE-2026-10093

cve-icon Vulnrichment

Updated: 2026-06-16T12:19:51.647Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T08:16:23.727

Modified: 2026-06-16T15:22:49.577

Link: CVE-2026-10093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')