[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjEY5EwqdCljECRdhS9a-4KlK_X2rqzynBCJ2k0PCMJc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-10093","file-sharing-download-manager-authenticated-subscriber-stored-cross-site-scripting-via-fldrttl-parameter","File Sharing & Download Manager \u003C= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'fldr_ttl' Parameter","The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","user-private-files",null,"\u003C=2.1.6","2.1.7","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-15 18:58:43","2026-06-16 07:46:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5ee0dd57-6256-4a56-907e-89336f052b6d?source=api-prod",1,[22,23,24,25,26,27,28,29],"inc\u002Ffunctions-file.php","inc\u002Ffunctions-folder.php","js\u002Fclassic-main.js","js\u002Ffile.js","js\u002Ffolder.js","readme.txt","templates\u002Fclassic-render.php","templates\u002Ffile-preview.php","researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans or payloads for specific vulnerabilities. For information on securing WordPress applications and preventing cross-site scripting, I recommend consulting the [WordPress Plugin Handbook's security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) or the [OWASP Top Ten project](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F).","The File Sharing & Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter due to inadequate sanitization and escaping of folder titles. Authenticated attackers with subscriber-level access or higher can inject malicious JavaScript that executes when other users, including administrators, view the folder management dashboard.","\u002F\u002F inc\u002Ffunctions-folder.php line 78\nforeach($folders as $folder){\n    $panel_html .= '\u003Cli id=\"upfp_nav_fldr_' . $folder->ID . '\" data-folder-id=\"' . $folder->ID . '\" data-folder-name=\"' . $folder->post_title . '\" class=\"upfp_fldr_obj\">\n        \u003Ca class=\"upfp_foldr\" href=\"javascript:void(0);\">\u003Ci class=\"fas fa-folder\">\u003C\u002Fi> \u003Cspan> ' . $folder->post_title . '\u003C\u002Fspan>\u003C\u002Fa>\n    \u003C\u002Fli>';\n}\n\n---\n\n\u002F\u002F inc\u002Ffunctions-folder.php line 501\n$res_array['html'] = '\u003Cdiv id=\"sub_folder_' . $fldr_id . '\" data-folder-id=\"' . $fldr_id . '\" data-folder-name=\"' . $fldr_ttl . '\" class=\"folder-item upfp_fldr_obj\">\n                        \u003Ca class=\"sub-folder-action\" href=\"javascript:void(0);\">\n                            \u003Cimg src=\"' . $folder_prvw_img . '\">\n                        \u003C\u002Fa>\n                        \u003Cp class=\"folder_ttl\">' . $fldr_ttl . '\u003C\u002Fp>\n                     \u003C\u002Fdiv>';\n\n---\n\n\u002F\u002F js\u002Ffile.js line 127\n$doc_pht_html += '\u003Cp class=\"doc_ttl\">' + doc_ttl + '\u003C\u002Fp>\u003C\u002Fdiv>';","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuser-private-files\u002F2.1.6\u002Finc\u002Ffunctions-folder.php\t2025-09-27 06:55:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fuser-private-files\u002F2.1.7\u002Finc\u002Ffunctions-folder.php\t2026-06-09 04:00:24.000000000 +0000\n@@ -75,8 +75,8 @@\n \t\t\t\t\t\t\t\u003C\u002Ful>\n \t\t\t\t\t\t\t\u003Cul class=\"upfp_nav_list my_folders\">';\n \t\t\t\t\t\t\t\tforeach($folders as $folder){\n-\t\t\t\t\t\t\t\t\t$panel_html .= '\u003Cli id=\"upfp_nav_fldr_' . $folder->ID . '\" data-folder-id=\"' . $folder->ID . '\" data-folder-name=\"' . $folder->post_title . '\" class=\"upfp_fldr_obj\">\n-\t\t\t\t\t\t\t\t\t\t\u003Ca class=\"upfp_foldr\" href=\"javascript:void(0);\">\u003Ci class=\"fas fa-folder\">\u003C\u002Fi> \u003Cspan> ' . $folder->post_title . '\u003C\u002Fspan>\u003C\u002Fa>\n+\t\t\t\t\t\t\t\t\t$panel_html .= '\u003Cli id=\"upfp_nav_fldr_' . absint($folder->ID) . '\" data-folder-id=\"' . absint($folder->ID) . '\" data-folder-name=\"' . esc_attr($folder->post_title) . '\" class=\"upfp_fldr_obj\">\n+\t\t\t\t\t\t\t\t\t\t\u003Ca class=\"upfp_foldr\" href=\"javascript:void(0);\">\u003Ci class=\"fas fa-folder\">\u003C\u002Fi> \u003Cspan> ' . esc_html($folder->post_title) . '\u003C\u002Fspan>\u003C\u002Fa>\n \t\t\t\t\t\t\t\t\t\u003C\u002Fli>';\n \t\t\t\t\t\t\t\t}\n \t\t\t$panel_html .= '\u003C\u002Ful>';\t\n@@ -498,16 +498,16 @@\n \t\t\t\tglobal $upf_plugin_url;\n \t\t\t\t$folder_prvw_img = $upf_plugin_url . 'images\u002Ffolder-150.png';\n \t\t\t\t\n-\t\t\t\t$res_array['html'] = '\u003Cdiv id=\"sub_folder_' . $fldr_id . '\" data-folder-id=\"' . $fldr_id . '\" data-folder-name=\"' . $fldr_ttl . '\" class=\"folder-item upfp_fldr_obj\">\n+\t\t\t\t$res_array['html'] = '\u003Cdiv id=\"sub_folder_' . absint($fldr_id) . '\" data-folder-id=\"' . absint($fldr_id) . '\" data-folder-name=\"' . esc_attr($fldr_ttl) . '\" class=\"folder-item upfp_fldr_obj\">\n \t\t\t\t\t\t\t\t\t\ta class=\"sub-folder-action\" href=\"javascript:void(0);\">\n-\t\t\t\t\t\t\t\t\t\t\t\u003Cimg src=\"' . $folder_prvw_img . '\">\n+\t\t\t\t\t\t\t\t\t\t\t\u003Cimg src=\"' . esc_url($folder_prvw_img) . '\">\n \t\t\t\t\t\t\t\t\t\t\u003C\u002Fa>\n-\t\t\t\t\t\t\t\t\t\t\u003Cp class=\"folder_ttl\">' . $fldr_ttl . '\u003C\u002Fp>\n+\t\t\t\t\t\t\t\t\t\t\u003Cp class=\"folder_ttl\">' . esc_html($fldr_ttl) . '\u003C\u002Fp>\n \t\t\t\t\t\t\t\t\t \u003C\u002Fdiv>';\n-\t\t\t\t\n+\n \t\t\t\tif(!isset($_POST['parent_fldr'])){ \u002F\u002F only add to navigation if it's a root folder\n-\t\t\t\t\t$res_array['folders_li'] = '\u003Cli id=\"upfp_nav_fldr_' . $fldr_id . '\" data-folder-id=\"' . $fldr_id . '\" data-folder-name=\"' . $fldr_ttl . '\" class=\"upfp_fldr_obj\">\n-\t\t\t\t\t\t\t\t\t\t\t\ta class=\"upfp_foldr\" href=\"javascript:void(0);\">\u003Ci class=\"fas fa-folder\">\u003C\u002Fi>\u003Cspan> ' . $fldr_ttl . '\u003C\u002Fspan>\u003C\u002Fa>\n+\t\t\t\t\t$res_array['folders_li'] = '\u003Cli id=\"upfp_nav_fldr_' . absint($fldr_id) . '\" data-folder-id=\"' . absint($fldr_id) . '\" data-folder-name=\"' . esc_attr($fldr_ttl) . '\" class=\"upfp_fldr_obj\">\n+\t\t\t\t\t\t\t\t\t\t\t\ta class=\"upfp_foldr\" href=\"javascript:void(0);\">\u003Ci class=\"fas fa-folder\">\u003C\u002Fi>\u003Cspan> ' . esc_html($fldr_ttl) . '\u003C\u002Fspan>\u003C\u002Fa>\n \t\t\t\t\t\t\t\t\t\t\t\u003C\u002Fli>';\n \t\t\t\t}","The exploit targets the folder creation or renaming functionality of the plugin. \n\n1.  **Authentication**: An attacker must log in to the WordPress site with at least Subscriber-level privileges, which grants access to the 'User Private Files' dashboard.\n2.  **Payload Delivery**: The attacker initiates an AJAX request to create a new folder (or rename an existing one). The `fldr_ttl` parameter in the POST request is populated with a malicious JavaScript payload (e.g., `\u003Cscript>alert(document.cookie)\u003C\u002Fscript>`).\n3.  **Storage**: The plugin saves this malicious payload as the folder's title (`post_title`) in the database without sufficient sanitization.\n4.  **Execution**: When the attacker or any other user (such as an administrator managing files) navigates to the plugin's file manager interface, the application fetches the folder title and renders it directly into the HTML within `\u003Cli>` or `\u003Cdiv>` elements. Because the output is not properly escaped in PHP or JavaScript before being added to the DOM, the browser executes the injected script.","gemini-3-flash-preview","2026-06-25 23:43:28","2026-06-25 23:44:05",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.1.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-private-files\u002Ftags\u002F2.1.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-private-files.2.1.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-private-files\u002Ftags\u002F2.1.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fuser-private-files.2.1.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fuser-private-files\u002Ftags"]