WP-Safety

File Sharing & Download Manager – User Private Files Security & Risk Analysis

wordpress.org/plugins/user-private-files

Secure WordPress file sharing & download manager. Upload, manage & share private files with users safely.

1K active installs v2.1.6 PHP 7.4+ WP 6.0+ Updated Oct 16, 2025
document-managementdownload-managerfile-managerfile-sharingupload
96
A · Safe
CVEs total7
Unpatched0
Last CVEFeb 18, 2025
Download
Safety Verdict

Is File Sharing & Download Manager – User Private Files Safe to Use in 2026?

Generally Safe

Score 96/100

File Sharing & Download Manager – User Private Files has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Feb 18, 2025Updated 5mo ago
Risk Assessment

The user-private-files v2.1.6 plugin presents a mixed security posture. On the positive side, the plugin demonstrates good practices in its use of prepared statements for SQL queries and has a substantial number of nonce and capability checks, indicating an effort to secure its entry points. The static analysis shows no critical or high severity taint flows, and all identified entry points have some form of authorization check.

However, significant concerns arise from its vulnerability history. The plugin has a history of 7 known CVEs, with a recent one in 2025. While none are currently unpatched, the prevalence of medium severity vulnerabilities, including Authorization Bypass, Cross-Site Scripting (XSS), Missing Authorization, Exposure of Sensitive Information, and Unrestricted Uploads, points to recurring and potentially systemic security weaknesses. The fact that 20% of output is not properly escaped, despite a large number of output operations, is a significant concern for potential XSS vulnerabilities. The presence of unsanitized paths in taint analysis, even without critical severity, warrants attention.

In conclusion, while the plugin has implemented some essential security mechanisms, its past and the presence of output escaping issues suggest a need for ongoing scrutiny and potential refactoring. The historical trend of diverse and repeated vulnerability types indicates a need for a thorough security review to address underlying coding practices.

Key Concerns

  • Output escaping issues (20% unescaped)
  • Vulnerability history (6 medium CVEs)
  • Flows with unsanitized paths
Vulnerabilities
7

File Sharing & Download Manager – User Private Files Security Vulnerabilities

CVEs by Year

3 CVEs in 2022
2022
2 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
6

7 total CVEs

CVE-2024-13799medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

User Private Files – File Upload & Download Manager with Secure File Sharing <= 2.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Feb 18, 2025 Patched in 2.1.4 (1d)
CVE-2024-7848medium · 4.3Authorization Bypass Through User-Controlled Key

User Private Files <= 2.1.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private File Access

Aug 21, 2024 Patched in 2.1.1 (1d)
CVE-2023-4836medium · 5.3Authorization Bypass Through User-Controlled Key

User Private Files < 2.0.5 - Insecure Direct Object Reference

Oct 11, 2023 Patched in 2.0.5 (104d)
CVE-2023-4636medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress File Sharing Plugin <= 2.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 4, 2023 Patched in 2.0.4 (141d)
WF-a2c5e232-3561-43a1-bdfa-4a68f20b5889-user-private-filesmedium · 6.3Missing Authorization

Frontend File Manager & Sharing – User Private Files <= 1.1.1 - Missing Authorization

Aug 6, 2022 Patched in 1.1.2 (535d)
WF-afc9114b-80b7-4caf-ab6b-35747ff5057b-user-private-filesmedium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Frontend File Manager & Sharing – User Private Files <= 1.1.0 - Sensitive Information Disclosure

Aug 6, 2022 Patched in 1.1.1 (535d)
CVE-2022-2356high · 8.8Unrestricted Upload of File with Dangerous Type

Frontend File Manager & Sharing – User Private Files <= 1.1.2 - Subscriber+ Arbitrary File Upload

Jul 11, 2022 Patched in 1.1.3 (561d)
Code Analysis
Analyzed Mar 16, 2026

File Sharing & Download Manager – User Private Files Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
316
78 escaped
Nonce Checks
29
Capability Checks
9
File Operations
2
External Requests
0
Bundled Libraries
1

Bundled Libraries

jQuery

Output Escaping

20% escaped394 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
<dl-file> (dl-file.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

File Sharing & Download Manager – User Private Files Attack Surface

Entry Points57
Unprotected0

AJAX Handlers 54

authwp_ajax_classic_upload_doc_callbackinc\classic-user-functions.php:12
noprivwp_ajax_classic_upload_doc_callbackinc\classic-user-functions.php:13
authwp_ajax_dpk_upvf_update_docinc\classic-user-functions.php:91
noprivwp_ajax_dpk_upvf_update_docinc\classic-user-functions.php:92
authwp_ajax_dpk_upvf_rmv_accessinc\classic-user-functions.php:154
noprivwp_ajax_dpk_upvf_rmv_accessinc\classic-user-functions.php:155
authwp_ajax_dpk_upvf_rmv_fileinc\classic-user-functions.php:193
noprivwp_ajax_dpk_upvf_rmv_fileinc\classic-user-functions.php:194
authwp_ajax_upvf_pro_upload_doc_callbackinc\functions-file.php:34
noprivwp_ajax_upvf_pro_upload_doc_callbackinc\functions-file.php:35
authwp_ajax_upvf_pro_preview_fileinc\functions-file.php:117
noprivwp_ajax_upvf_pro_preview_fileinc\functions-file.php:118
authwp_ajax_upvf_pro_update_docinc\functions-file.php:261
noprivwp_ajax_upvf_pro_update_docinc\functions-file.php:262
authwp_ajax_upvf_pro_add_bulkinc\functions-file.php:420
noprivwp_ajax_upvf_pro_add_bulkinc\functions-file.php:421
authwp_ajax_upvf_pro_rename_fileinc\functions-file.php:599
noprivwp_ajax_upvf_pro_rename_fileinc\functions-file.php:600
authwp_ajax_upvf_pro_update_file_dscinc\functions-file.php:633
noprivwp_ajax_upvf_pro_update_file_dscinc\functions-file.php:634
authwp_ajax_upvf_pro_rmv_accessinc\functions-file.php:667
noprivwp_ajax_upvf_pro_rmv_accessinc\functions-file.php:668
authwp_ajax_upvf_pro_delete_fileinc\functions-file.php:703
noprivwp_ajax_upvf_pro_delete_fileinc\functions-file.php:704
authwp_ajax_upvf_pro_restore_fileinc\functions-file.php:739
noprivwp_ajax_upvf_pro_restore_fileinc\functions-file.php:740
authwp_ajax_upvf_pro_get_foldersinc\functions-file.php:767
noprivwp_ajax_upvf_pro_get_foldersinc\functions-file.php:768
authwp_ajax_upvf_pro_move_fileinc\functions-file.php:815
noprivwp_ajax_upvf_pro_move_fileinc\functions-file.php:816
authwp_ajax_upvf_pro_file_add_cmntinc\functions-file.php:852
noprivwp_ajax_upvf_pro_file_add_cmntinc\functions-file.php:853
authwp_ajax_upvf_pro_load_flderinc\functions-folder.php:287
noprivwp_ajax_upvf_pro_load_flderinc\functions-folder.php:288
authwp_ajax_upvf_pro_new_flder_callbackinc\functions-folder.php:449
noprivwp_ajax_upvf_pro_new_flder_callbackinc\functions-folder.php:450
authwp_ajax_upvf_pro_rename_folderinc\functions-folder.php:527
noprivwp_ajax_upvf_pro_rename_folderinc\functions-folder.php:528
authwp_ajax_upvf_pro_move_folderinc\functions-folder.php:562
noprivwp_ajax_upvf_pro_move_folderinc\functions-folder.php:563
authwp_ajax_upvf_pro_share_folderinc\functions-folder.php:609
noprivwp_ajax_upvf_pro_share_folderinc\functions-folder.php:610
authwp_ajax_upvf_pro_share_folder_bulkinc\functions-folder.php:779
noprivwp_ajax_upvf_pro_share_folder_bulkinc\functions-folder.php:780
authwp_ajax_upvf_pro_rmv_fldr_accessinc\functions-folder.php:967
noprivwp_ajax_upvf_pro_rmv_fldr_accessinc\functions-folder.php:968
authwp_ajax_upvf_pro_delete_folderinc\functions-folder.php:1015
noprivwp_ajax_upvf_pro_delete_folderinc\functions-folder.php:1016
authwp_ajax_upvf_pro_restore_folderinc\functions-folder.php:1068
noprivwp_ajax_upvf_pro_restore_folderinc\functions-folder.php:1069
authwp_ajax_upvf_pro_empty_trashinc\functions-folder.php:1122
noprivwp_ajax_upvf_pro_empty_trashinc\functions-folder.php:1123
authwp_ajax_upvf_pro_searchinc\functions-folder.php:1183
noprivwp_ajax_upvf_pro_searchinc\functions-folder.php:1184

Shortcodes 3

[upf_manager] inc\shortcodes.php:12
[upf_upload] templates\classic-post-new.php:11
[upf_display] templates\classic-render.php:11
WordPress Hooks 16
actionupf_file_insertedactions.php:8
filterwp_untrash_post_statusfilters.php:8
filterwp_image_editorsfilters.php:32
filterajax_query_attachments_argsfilters.php:37
actionpre_get_postsfilters.php:57
filterupload_dirinc\functions-file.php:65
actionadmin_inituser-private-files.php:22
actionadmin_noticesuser-private-files.php:28
actionadmin_headuser-private-files.php:36
actionadmin_headuser-private-files.php:52
actioninituser-private-files.php:59
actionwp_enqueue_scriptsuser-private-files.php:65
actionadmin_enqueue_scriptsuser-private-files.php:66
filtertemplate_includeuser-private-files.php:89
actionplugins_loadeduser-private-files.php:225
actionadmin_menuuser-private-files.php:228
Maintenance & Trust

File Sharing & Download Manager – User Private Files Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 16, 2025
PHP min version7.4
Downloads42K

Community Trust

Rating90/100
Number of ratings55
Active installs1K
Alternatives

File Sharing & Download Manager – User Private Files Alternatives

Shared Files – Frontend File Upload Form & Secure File Sharing

Shared Files – Frontend File Upload Form & Secure File Sharing

shared-files

A
90

File management plugin featuring frontend file upload form, download manager, statistics and download log.

4K 8 CVEs
Download Manager

Download Manager

download-manager

B
76

This File Management & Digital Store plugin will help you to control file downloads & sell digital products from your WP site.

100K 74 CVEs
Download Manager Addons for Elementor

Download Manager Addons for Elementor

wpdm-elementor

A
97

Download Manager Addons for Elementor

7K 1 CVE
Document Library Lite

Document Library Lite

document-library-lite

A
96

Create a WordPress document library to manage, search and download files.

4K 3 CVEs
Filr – Secure document library

Filr – Secure document library

filr-protection

C
62

Easily Create a Secure Document Library with Filr

800 1 unpatched
Developer Profile

File Sharing & Download Manager – User Private Files Developer Profile

Deepak Khokhar

6 plugins · 5K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
236 days
View full developer profile
Detection Fingerprints

How We Detect File Sharing & Download Manager – User Private Files

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/user-private-files/css/admin/admin_free.css/wp-content/plugins/user-private-files/js/admin/admin-upf_free.js/wp-content/plugins/user-private-files/css/admin/chosen.min.css/wp-content/plugins/user-private-files/js/lib/chosen.jquery.min.js/wp-content/plugins/user-private-files/css/fa.min.css/wp-content/plugins/user-private-files/css/classic-style.css/wp-content/plugins/user-private-files/js/classic-main.js/wp-content/plugins/user-private-files/css/style.css+4 more
Script Paths
js/admin/admin-upf_free.jsjs/lib/chosen.jquery.min.jsjs/classic-main.jsjs/waitforimages.min.jsjs/file.jsjs/folder.js+1 more
Version Parameters
user-private-files/css/admin/admin_free.css?ver=user-private-files/js/admin/admin-upf_free.js?ver=user-private-files/css/admin/chosen.min.css?ver=user-private-files/js/lib/chosen.jquery.min.js?ver=user-private-files/css/fa.min.css?ver=user-private-files/css/classic-style.css?ver=user-private-files/js/classic-main.js?ver=user-private-files/css/style.css?ver=user-private-files/js/waitforimages.min.js?ver=user-private-files/js/file.js?ver=user-private-files/js/folder.js?ver=user-private-files/js/bulk-action.js?ver=

HTML / DOM Fingerprints

CSS Classes
upf-docsupf-file-manager
HTML Comments
<!-- User Private Files --><!-- END User Private Files -->
Data Attributes
data-upf-iddata-upf-type
JS Globals
ajax_upf_classic_objajax_upf_objajax_upvf_frnt_objajax_upvf_bulk_objupvf_template_loader
REST Endpoints
/wp-json/upf/v1/get-folders/wp-json/upf/v1/get-files/wp-json/upf/v1/upload-file/wp-json/upf/v1/delete-file/wp-json/upf/v1/create-folder/wp-json/upf/v1/delete-folder/wp-json/upf/v1/rename-file/wp-json/upf/v1/rename-folder
Shortcode Output
[user_private_files][upf_folders][upf_files]
FAQ

Frequently Asked Questions about File Sharing & Download Manager – User Private Files