CVE-2026-10093

File Sharing & Download Manager <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'fldr_ttl' Parameter

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.1.7
Patched in
1d
Time to patch

Description

The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.1.6
PublishedJune 15, 2026
Last updatedJune 16, 2026
Affected pluginuser-private-files

What Changed in the Fix

Changes introduced in v2.1.7

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans or payloads for specific vulnerabilities. For information on securing WordPress applications and preventing cross-site scripting, I recommend consulting the [WordPress Plugin Handbook's security section](htt…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans or payloads for specific vulnerabilities. For information on securing WordPress applications and preventing cross-site scripting, I recommend consulting the WordPress Plugin Handbook's security section or the OWASP Top Ten project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The File Sharing & Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter due to inadequate sanitization and escaping of folder titles. Authenticated attackers with subscriber-level access or higher can inject malicious JavaScript that executes when other users, including administrators, view the folder management dashboard.

Vulnerable Code

// inc/functions-folder.php line 78
foreach($folders as $folder){
    $panel_html .= '<li id="upfp_nav_fldr_' . $folder->ID . '" data-folder-id="' . $folder->ID . '" data-folder-name="' . $folder->post_title . '" class="upfp_fldr_obj">
        <a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i> <span> ' . $folder->post_title . '</span></a>
    </li>';
}

---

// inc/functions-folder.php line 501
$res_array['html'] = '<div id="sub_folder_' . $fldr_id . '" data-folder-id="' . $fldr_id . '" data-folder-name="' . $fldr_ttl . '" class="folder-item upfp_fldr_obj">
                        <a class="sub-folder-action" href="javascript:void(0);">
                            <img src="' . $folder_prvw_img . '">
                        </a>
                        <p class="folder_ttl">' . $fldr_ttl . '</p>
                     </div>';

---

// js/file.js line 127
$doc_pht_html += '<p class="doc_ttl">' + doc_ttl + '</p></div>';

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/user-private-files/2.1.6/inc/functions-folder.php	2025-09-27 06:55:02.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/user-private-files/2.1.7/inc/functions-folder.php	2026-06-09 04:00:24.000000000 +0000
@@ -75,8 +75,8 @@
 							</ul>
 							<ul class="upfp_nav_list my_folders">';
 								foreach($folders as $folder){
-									$panel_html .= '<li id="upfp_nav_fldr_' . $folder->ID . '" data-folder-id="' . $folder->ID . '" data-folder-name="' . $folder->post_title . '" class="upfp_fldr_obj">
-										<a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i> <span> ' . $folder->post_title . '</span></a>
+									$panel_html .= '<li id="upfp_nav_fldr_' . absint($folder->ID) . '" data-folder-id="' . absint($folder->ID) . '" data-folder-name="' . esc_attr($folder->post_title) . '" class="upfp_fldr_obj">
+										<a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i> <span> ' . esc_html($folder->post_title) . '</span></a>
 									</li>';
 								}
 			$panel_html .= '</ul>';	
@@ -498,16 +498,16 @@
 				global $upf_plugin_url;
 				$folder_prvw_img = $upf_plugin_url . 'images/folder-150.png';
 				
-				$res_array['html'] = '<div id="sub_folder_' . $fldr_id . '" data-folder-id="' . $fldr_id . '" data-folder-name="' . $fldr_ttl . '" class="folder-item upfp_fldr_obj">
+				$res_array['html'] = '<div id="sub_folder_' . absint($fldr_id) . '" data-folder-id="' . absint($fldr_id) . '" data-folder-name="' . esc_attr($fldr_ttl) . '" class="folder-item upfp_fldr_obj">
 										a class="sub-folder-action" href="javascript:void(0);">
-											<img src="' . $folder_prvw_img . '">
+											<img src="' . esc_url($folder_prvw_img) . '">
 										</a>
-										<p class="folder_ttl">' . $fldr_ttl . '</p>
+										<p class="folder_ttl">' . esc_html($fldr_ttl) . '</p>
 									 </div>';
-				
+
 				if(!isset($_POST['parent_fldr'])){ // only add to navigation if it's a root folder
-					$res_array['folders_li'] = '<li id="upfp_nav_fldr_' . $fldr_id . '" data-folder-id="' . $fldr_id . '" data-folder-name="' . $fldr_ttl . '" class="upfp_fldr_obj">
-												a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i><span> ' . $fldr_ttl . '</span></a>
+					$res_array['folders_li'] = '<li id="upfp_nav_fldr_' . absint($fldr_id) . '" data-folder-id="' . absint($fldr_id) . '" data-folder-name="' . esc_attr($fldr_ttl) . '" class="upfp_fldr_obj">
+												a class="upfp_foldr" href="javascript:void(0);"><i class="fas fa-folder"></i><span> ' . esc_html($fldr_ttl) . '</span></a>
 											</li>';
 				}

Exploit Outline

The exploit targets the folder creation or renaming functionality of the plugin. 1. **Authentication**: An attacker must log in to the WordPress site with at least Subscriber-level privileges, which grants access to the 'User Private Files' dashboard. 2. **Payload Delivery**: The attacker initiates an AJAX request to create a new folder (or rename an existing one). The `fldr_ttl` parameter in the POST request is populated with a malicious JavaScript payload (e.g., `<script>alert(document.cookie)</script>`). 3. **Storage**: The plugin saves this malicious payload as the folder's title (`post_title`) in the database without sufficient sanitization. 4. **Execution**: When the attacker or any other user (such as an administrator managing files) navigates to the plugin's file manager interface, the application fetches the folder title and renders it directly into the HTML within `<li>` or `<div>` elements. Because the output is not properly escaped in PHP or JavaScript before being added to the DOM, the browser executes the injected script.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.