File Sharing & Download Manager <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'fldr_ttl' Parameter
Description
The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=2.1.6What Changed in the Fix
Changes introduced in v2.1.7
Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from generating actionable exploitation plans or payloads for specific vulnerabilities. For information on securing WordPress applications and preventing cross-site scripting, I recommend consulting the [WordPress Plugin Handbook's security section](htt…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation plans or payloads for specific vulnerabilities. For information on securing WordPress applications and preventing cross-site scripting, I recommend consulting the WordPress Plugin Handbook's security section or the OWASP Top Ten project.
Summary
The File Sharing & Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter due to inadequate sanitization and escaping of folder titles. Authenticated attackers with subscriber-level access or higher can inject malicious JavaScript that executes when other users, including administrators, view the folder management dashboard.
Vulnerable Code
// inc/functions-folder.php line 78 foreach($folders as $folder){ $panel_html .= '<li id="upfp_nav_fldr_' . $folder->ID . '" data-folder-id="' . $folder->ID . '" data-folder-name="' . $folder->post_title . '" class="upfp_fldr_obj"> <a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i> <span> ' . $folder->post_title . '</span></a> </li>'; } --- // inc/functions-folder.php line 501 $res_array['html'] = '<div id="sub_folder_' . $fldr_id . '" data-folder-id="' . $fldr_id . '" data-folder-name="' . $fldr_ttl . '" class="folder-item upfp_fldr_obj"> <a class="sub-folder-action" href="javascript:void(0);"> <img src="' . $folder_prvw_img . '"> </a> <p class="folder_ttl">' . $fldr_ttl . '</p> </div>'; --- // js/file.js line 127 $doc_pht_html += '<p class="doc_ttl">' + doc_ttl + '</p></div>';
Security Fix
@@ -75,8 +75,8 @@ </ul> <ul class="upfp_nav_list my_folders">'; foreach($folders as $folder){ - $panel_html .= '<li id="upfp_nav_fldr_' . $folder->ID . '" data-folder-id="' . $folder->ID . '" data-folder-name="' . $folder->post_title . '" class="upfp_fldr_obj"> - <a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i> <span> ' . $folder->post_title . '</span></a> + $panel_html .= '<li id="upfp_nav_fldr_' . absint($folder->ID) . '" data-folder-id="' . absint($folder->ID) . '" data-folder-name="' . esc_attr($folder->post_title) . '" class="upfp_fldr_obj"> + <a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i> <span> ' . esc_html($folder->post_title) . '</span></a> </li>'; } $panel_html .= '</ul>'; @@ -498,16 +498,16 @@ global $upf_plugin_url; $folder_prvw_img = $upf_plugin_url . 'images/folder-150.png'; - $res_array['html'] = '<div id="sub_folder_' . $fldr_id . '" data-folder-id="' . $fldr_id . '" data-folder-name="' . $fldr_ttl . '" class="folder-item upfp_fldr_obj"> + $res_array['html'] = '<div id="sub_folder_' . absint($fldr_id) . '" data-folder-id="' . absint($fldr_id) . '" data-folder-name="' . esc_attr($fldr_ttl) . '" class="folder-item upfp_fldr_obj"> a class="sub-folder-action" href="javascript:void(0);"> - <img src="' . $folder_prvw_img . '"> + <img src="' . esc_url($folder_prvw_img) . '"> </a> - <p class="folder_ttl">' . $fldr_ttl . '</p> + <p class="folder_ttl">' . esc_html($fldr_ttl) . '</p> </div>'; - + if(!isset($_POST['parent_fldr'])){ // only add to navigation if it's a root folder - $res_array['folders_li'] = '<li id="upfp_nav_fldr_' . $fldr_id . '" data-folder-id="' . $fldr_id . '" data-folder-name="' . $fldr_ttl . '" class="upfp_fldr_obj"> - a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i><span> ' . $fldr_ttl . '</span></a> + $res_array['folders_li'] = '<li id="upfp_nav_fldr_' . absint($fldr_id) . '" data-folder-id="' . absint($fldr_id) . '" data-folder-name="' . esc_attr($fldr_ttl) . '" class="upfp_fldr_obj"> + a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i><span> ' . esc_html($fldr_ttl) . '</span></a> </li>'; }
Exploit Outline
The exploit targets the folder creation or renaming functionality of the plugin. 1. **Authentication**: An attacker must log in to the WordPress site with at least Subscriber-level privileges, which grants access to the 'User Private Files' dashboard. 2. **Payload Delivery**: The attacker initiates an AJAX request to create a new folder (or rename an existing one). The `fldr_ttl` parameter in the POST request is populated with a malicious JavaScript payload (e.g., `<script>alert(document.cookie)</script>`). 3. **Storage**: The plugin saves this malicious payload as the folder's title (`post_title`) in the database without sufficient sanitization. 4. **Execution**: When the attacker or any other user (such as an administrator managing files) navigates to the plugin's file manager interface, the application fetches the folder title and renders it directly into the HTML within `<li>` or `<div>` elements. Because the output is not properly escaped in PHP or JavaScript before being added to the DOM, the browser executes the injected script.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.