Description
Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated path traversal in the Shared Files plugin allows an attacker to request arbitrary files on the server by manipulating the file path input. The flaw can lead to reading sensitive data such as configuration files, user credentials, or any other file on the server, thereby compromising confidentiality. No direct code execution is provided, but the attacker gains the ability to exhaustively enumerate file paths and potentially leverage the discovered data for further attacks.

Affected Systems

The vulnerability affects all installations of the Tammersoft Shared Files WordPress plugin up through and including version 1.7.64. Versions newer than 1.7.64 are not impacted.

Risk and Exploitability

The CVSS score of 7.5 denotes a high severity for a remote unauthenticated attack. The EPSS score of less than 1% suggests a low probability that a real-world exploit is currently taking place, and the issue is not listed in the CISA KEV catalog. Exploitation requires sending a crafted HTTP request to the plugin’s file download endpoint with special path characters; no authentication or additional privileges are required.

Generated by OpenCVE AI on June 16, 2026 at 22:14 UTC.

Remediation

Vendor Solution

Update the WordPress Shared Files Plugin to the latest available version (at least 1.7.65).

OpenCVE Recommended Actions

  • Apply the latest version of the WordPress Shared Files Plugin (at least 1.7.65).
  • If the plugin is not required for website functionality, disable or remove it entirely.
  • Restrict file access to the plugin directory by configuring the web server to deny direct file access or by using .htaccess rules.

Generated by OpenCVE AI on June 16, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Tammersoft
Tammersoft shared Files
Wordpress
Wordpress wordpress
Vendors & Products Tammersoft
Tammersoft shared Files
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.
Title WordPress Shared Files plugin <= 1.7.64 - Path Traversal vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Tammersoft Shared Files
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T15:36:09.188Z

Reserved: 2026-05-27T15:12:19.105Z

Link: CVE-2026-49112

cve-icon Vulnrichment

Updated: 2026-06-16T15:36:03.735Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:20.990

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:15:03Z

Weaknesses
  • CWE-35

    Path Traversal: '.../...//'