WP-Safety

Shared Files – Frontend File Upload Form & Secure File Sharing Security & Risk Analysis

wordpress.org/plugins/shared-files

File management plugin featuring frontend file upload form, download manager, statistics and download log.

4K active installs v1.7.60 PHP 7.2+ WP 6.0+ Updated Mar 10, 2026
download-managerfile-managerfile-sharingfile-uploadupload
90
A · Safe
CVEs total8
Unpatched0
Last CVEJun 2, 2025
Download
Safety Verdict

Is Shared Files – Frontend File Upload Form & Secure File Sharing Safe to Use in 2026?

Generally Safe

Score 90/100

Shared Files – Frontend File Upload Form & Secure File Sharing has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Jun 2, 2025Updated 24d ago
Risk Assessment

The 'shared-files' plugin v1.7.60 exhibits a mixed security posture. While the static analysis indicates the absence of dangerous functions and external HTTP requests, and a good percentage of output is properly escaped, several critical concerns arise. A significant portion of the attack surface, specifically 5 AJAX handlers, lacks proper authorization checks. Furthermore, the taint analysis reveals 6 high-severity flows with unsanitized paths, suggesting potential vulnerabilities related to input handling and data exposure.

The plugin's vulnerability history is a significant red flag. With 8 known CVEs, including 3 high and 5 medium severity vulnerabilities, and a recent vulnerability reported in June 2025, it indicates a recurring pattern of security weaknesses. Common vulnerability types like Exposure of Sensitive Information, Missing Authorization, and Cross-site Scripting further reinforce these concerns. Although there are currently no unpatched vulnerabilities, the historical trend suggests a need for heightened vigilance and more robust security practices within the plugin's development lifecycle.

In conclusion, while the plugin demonstrates some positive security attributes like proper output escaping and no dangerous functions, the substantial number of unprotected AJAX handlers, critical taint flows, and a history of multiple high and medium severity vulnerabilities present a considerable risk. The plugin's past issues, coupled with current code analysis findings, point to potential exposure of sensitive information and authorization bypasses, warranting careful consideration and potential mitigation strategies.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows with unsanitized paths
  • Multiple high severity CVEs
  • Multiple medium severity CVEs
  • Large number of SQL queries with low prepared statement usage
  • Bundled outdated Freemius v1.0
Vulnerabilities
8

Shared Files – Frontend File Upload Form & Secure File Sharing Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
1 CVE in 2023
2023
3 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
5

8 total CVEs

CVE-2025-4392high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shared Files <= 1.7.48 - Unauthenticated Stored Cross-Site Scripting via sanitize_file Function

Jun 2, 2025 Patched in 1.7.49 (1d)
CVE-2024-13504high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.42 - Limited Unauthenticated Stored Cross-Site Scripting via File Upload

Jan 30, 2025 Patched in 1.7.43 (1d)
CVE-2024-43230medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Shared Files <= 1.7.28 - Unauthenticated Sensitive Information Exposure

Aug 9, 2024 Patched in 1.7.29 (5d)
CVE-2024-34438medium · 5.3Missing Authorization

Shared Files <= 1.7.19 - Missing Authorization

May 7, 2024 Patched in 1.7.20 (9d)
CVE-2024-32679medium · 5.3Missing Authorization

Shared Files <= 1.7.16 - Missing Authorization to Notice Dismissal

Apr 17, 2024 Patched in 1.7.17 (7d)
CVE-2023-4819high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shared Files <= 1.7.5 - Unauthenticated Stored Cross-Site Scripting

Sep 21, 2023 Patched in 1.7.6 (124d)
CVE-2021-24856medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shared Files – Easy Download Manager and File Sharing Plugin with Frontend File Upload <= 1.6.60 - Cross-Site Scripting

Oct 18, 2021 Patched in 1.6.61 (827d)
CVE-2021-24736medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Shared Files – Easy Download Manager and File Sharing Plugin with Frontend File Upload <= 1.6.56 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 15, 2021 Patched in 1.6.57 (860d)
Code Analysis
Analyzed Mar 16, 2026

Shared Files – Frontend File Upload Form & Secure File Sharing Code Analysis

Dangerous Functions
0
Raw SQL Queries
35
4 prepared
Unescaped Output
726
1856 escaped
Nonce Checks
13
Capability Checks
3
File Operations
21
External Requests
0
Bundled Libraries
2

Bundled Libraries

Select2Freemius1.0

SQL Query Safety

10% prepared39 total queries

Output Escaping

72% escaped2582 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

17 flows9 with unsanitized paths
register_page_callback (admin\class-sf-admin-sync-files.php:20)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Shared Files – Frontend File Upload Form & Secure File Sharing Attack Surface

Entry Points14
Unprotected5

AJAX Handlers 5

authwp_ajax_shared_files_file_uploadincludes\class-shared-files.php:225
noprivwp_ajax_shared_files_search_logincludes\class-shared-files.php:378
authwp_ajax_shared_files_search_logincludes\class-shared-files.php:379
noprivwp_ajax_sf_get_filesincludes\class-shared-files.php:382
authwp_ajax_sf_get_filesincludes\class-shared-files.php:383

Shortcodes 9

[shared_files] public\class-sf-public.php:191
[shared_files_search] public\class-sf-public.php:192
[shared_files_categories] public\class-sf-public.php:193
[shared_files_simple] public\class-sf-public.php:194
[shared_files_info] public\class-sf-public.php:195
[shared_files_accordion] public\class-sf-public.php:196
[shared_files_favorites] public\class-sf-public.php:197
[shared_files_restricted] public\class-sf-public.php:198
[shared_files_exact_search] public\class-sf-public.php:199
WordPress Hooks 65
filterupload_mimesadmin\class-sf-admin-allow-more-file-types.php:101
actionsave_postadmin\class-sf-admin-metadata.php:648
actionsave_postadmin\class-sf-admin-metadata.php:656
filterupload_diradmin\class-sf-admin-sync-files.php:228
filterupload_mimesadmin\class-sf-admin-sync-files.php:229
actionafter_uninstallincludes\class-shared-files-deactivator.php:30
actionplugins_loadedincludes\class-shared-files.php:188
actionadmin_enqueue_scriptsincludes\class-shared-files.php:227
actionadmin_enqueue_scriptsincludes\class-shared-files.php:228
actionbefore_delete_postincludes\class-shared-files.php:229
actionin_admin_headerincludes\class-shared-files.php:230
actionadmin_body_classincludes\class-shared-files.php:231
actionin_admin_footerincludes\class-shared-files.php:232
actionadmin_menuincludes\class-shared-files.php:233
filtercron_schedulesincludes\class-shared-files.php:235
actionplugins_loadedincludes\class-shared-files.php:236
actioninitincludes\class-shared-files.php:237
filteradmin_initincludes\class-shared-files.php:239
actioninitincludes\class-shared-files.php:241
actionwp_after_insert_postincludes\class-shared-files.php:242
actionsave_postincludes\class-shared-files.php:250
actionadd_meta_boxes_shared_fileincludes\class-shared-files.php:251
actioninitincludes\class-shared-files.php:253
actionshared-file-category_edit_form_fieldsincludes\class-shared-files.php:259
filtermanage_edit-shared-file-category_columnsincludes\class-shared-files.php:266
filtermanage_shared-file-category_custom_columnincludes\class-shared-files.php:267
filterrequestincludes\class-shared-files.php:275
actionmanage_shared_file_posts_custom_columnincludes\class-shared-files.php:279
actionrestrict_manage_postsincludes\class-shared-files.php:286
filtermanage_shared_file_posts_columnsincludes\class-shared-files.php:293
filtermanage_edit-shared_file_sortable_columnsincludes\class-shared-files.php:299
filterparse_queryincludes\class-shared-files.php:300
filterposts_clausesincludes\class-shared-files.php:301
actionadmin_noticesincludes\class-shared-files.php:309
actionadmin_initincludes\class-shared-files.php:315
actionadmin_menuincludes\class-shared-files.php:317
actionadmin_menuincludes\class-shared-files.php:318
actionadmin_menuincludes\class-shared-files.php:320
actionadmin_menuincludes\class-shared-files.php:322
actionadmin_initincludes\class-shared-files.php:323
actionadmin_menuincludes\class-shared-files.php:326
actionadmin_menuincludes\class-shared-files.php:329
actionadmin_menuincludes\class-shared-files.php:331
actionadmin_menuincludes\class-shared-files.php:333
actionadmin_menuincludes\class-shared-files.php:335
actionadmin_menuincludes\class-shared-files.php:336
actionadmin_menuincludes\class-shared-files.php:338
actionadmin_menuincludes\class-shared-files.php:340
actionadmin_menuincludes\class-shared-files.php:343
actionwp_enqueue_scriptsincludes\class-shared-files.php:362
actionwp_enqueue_scriptsincludes\class-shared-files.php:363
actionwp_enqueue_scriptsincludes\class-shared-files.php:364
actionenqueue_block_assetsincludes\class-shared-files.php:365
actioninitincludes\class-shared-files.php:366
filterrest_shared_file_queryincludes\class-shared-files.php:367
actioninitincludes\class-shared-files.php:374
actioninitincludes\class-shared-files.php:375
filterrequestincludes\class-shared-files.php:385
filterupload_dirpublic\class-sf-public-file-upload.php:198
filterupload_mimespublic\class-sf-public-file-upload.php:199
filterconnect_messageshared-files.php:92
filtershow_deactivation_feedback_formshared-files.php:98
filteris_submenu_visibleshared-files.php:108
filterconnect_message_on_updateshared-files.php:133
filterplugin_iconshared-files.php:143

Scheduled Events 1

check_expired_files
Maintenance & Trust

Shared Files – Frontend File Upload Form & Secure File Sharing Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 10, 2026
PHP min version7.2
Downloads248K

Community Trust

Rating88/100
Number of ratings34
Active installs4K
Alternatives

Shared Files – Frontend File Upload Form & Secure File Sharing Alternatives

File Sharing & Download Manager – User Private Files

File Sharing & Download Manager – User Private Files

user-private-files

A
96

Secure WordPress file sharing & download manager. Upload, manage & share private files with users safely.

1K 7 CVEs
Share5s – Upload, manage, sharing your file in free file hosting

Share5s – Upload, manage, sharing your file in free file hosting

share5s

A
85

Upload, share, track, manage your files in one simple to use file free host share5s.

0 No CVEs
Upload.am – File Hosting & VPN

Upload.am – File Hosting & VPN

upload-am-file-hosting-vpn

A
99

Seamlessly upload and manage files with Upload.am integration, supporting secure file sharing and shortcode embedding in WordPress.

0 1 CVE
FileOrganizer – WordPress File Manager

FileOrganizer – WordPress File Manager

fileorganizer

A
95

FileOrganizer is an intuitive file manager to easily edit, delete, upload, download, and manage all your WordPress files and folders right from the da &hellip;

200K 5 CVEs
Download Manager

Download Manager

download-manager

B
76

This File Management & Digital Store plugin will help you to control file downloads & sell digital products from your WP site.

100K 74 CVEs
Developer Profile

Shared Files – Frontend File Upload Form & Secure File Sharing Developer Profile

Anssi Laitila

2 plugins · 5K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
272 days
View full developer profile
Detection Fingerprints

How We Detect Shared Files – Frontend File Upload Form & Secure File Sharing

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/shared-files/css/shared-files.css/wp-content/plugins/shared-files/js/shared-files.js
Script Paths
/wp-content/plugins/shared-files/js/shared-files.js
Version Parameters
shared-files/style.css?ver=shared-files/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
shared-files-upload-form
Data Attributes
data-sf-field-id
JS Globals
SharedFilesVars
Shortcode Output
[shared_files_upload_form]
FAQ

Frequently Asked Questions about Shared Files – Frontend File Upload Form & Secure File Sharing