Shared Files – Frontend File Upload Form & Secure File Sharing < 1.7.58 - Authenticated (Contributor+) Arbitrary File Download
Description
The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Path Traversal in all versions up to 1.7.58 (exclusive). This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.7.58
Source Code
WordPress.org SVNThis plan outlines the research and exploitation strategy for CVE-2025-15433, a path traversal vulnerability in the "Shared Files" WordPress plugin. ### 1. Vulnerability Summary The **Shared Files** plugin (versions < 1.7.58) fails to properly sanitize or validate file paths stored in the metadata …
Show full research plan
This plan outlines the research and exploitation strategy for CVE-2025-15433, a path traversal vulnerability in the "Shared Files" WordPress plugin.
1. Vulnerability Summary
The Shared Files plugin (versions < 1.7.58) fails to properly sanitize or validate file paths stored in the metadata of its shared_files Custom Post Type (CPT). When a file is requested via the plugin's custom URL routing, the SharedFilesAdminQuery::alter_the_query function retrieves the file path from the _sf_file or _sf_filename post meta and serves it using standard file system functions.
Because authenticated users with Contributor-level permissions can create and manage their own shared_files posts, they can manipulate the associated metadata to point to sensitive system files (e.g., wp-config.php). The plugin then serves these files to the attacker through its download handler.
2. Attack Vector Analysis
- Vulnerable Endpoint: Any URL matching the plugin's routing pattern:
[site-url]/shared-files/[post-id]/[filename] - Vulnerable Function:
SharedFilesAdminQuery::alter_the_queryinadmin/class-sf-admin-query.php. - Preconditions:
- Authenticated as a Contributor or higher.
- Ability to create/edit a post of type
shared_files.
- Payload: A path traversal string (e
Summary
The Shared Files plugin for WordPress is vulnerable to Path Traversal due to insufficient validation of file paths stored in the metadata of 'shared_files' posts. Authenticated attackers with Contributor-level access can manipulate these metadata fields to point to sensitive system files, which are then served for download by the plugin's query handler.
Vulnerable Code
// admin/class-sf-admin-query.php (approx. lines 122-140 in version 1.7.57) $file = get_post_meta( $file_id, '_sf_file', true ); $filename_fallback = get_post_meta( $file_id, '_sf_filename', true ); if ( $external_url ) { // ... external redirect logic ... } elseif ( $file || $filename_fallback ) { $redirect = 0; if ( isset( $s['file_open_method'] ) && $s['file_open_method'] == 'redirect' ) { $redirect = 1; } $filename = ''; if ( isset( $file['file'] ) ) { $filename = SharedFilesFileOpen::getUpdatedPathAndFilename( sanitize_text_field( $file['file'] ) ); } elseif ( $filename_fallback ) { // ... construction of $filename from $filename_fallback ... $filename = SharedFilesFileOpen::getUpdatedPathAndFilename( sanitize_text_field( $filename_with_path_fallback ) ); } // The plugin proceeds to serve $filename without verifying it is inside the uploads directory.
Security Fix
@@ -131,6 +131,20 @@ echo '<pre>' . var_dump( esc_html( $filename_fallback ) ) . '</pre>'; wp_die(); } + $wp_upload_dir = wp_upload_dir(); + $sf_upload_dir = $wp_upload_dir['basedir'] . DIRECTORY_SEPARATOR . 'shared-files' . DIRECTORY_SEPARATOR; + $realFilePath = realpath( $filename ); + $realBasePath = realpath( $sf_upload_dir ) . DIRECTORY_SEPARATOR; + if ( $realFilePath === false || strpos( $realFilePath, $realBasePath ) !== 0 ) { + echo '<pre>ERROR CODE: 200152</pre>'; + if ( is_super_admin() ) { + echo '<pre>' . esc_html__( 'Debug info for admin:', 'shared-files' ) . '</pre>'; + echo '<pre>' . esc_html( var_dump( $filename ) ) . '</pre>'; + echo '<pre>' . esc_html( var_dump( $realFilePath ) ) . '</pre>'; + echo '<pre>' . esc_html( var_dump( $realBasePath ) ) . '</pre>'; + } + wp_die(); + } if ( !$redirect && (!isset( $filename ) || !file_exists( $filename )) ) { wp_die( esc_html__( 'File not found:', 'shared-files' ) . '<br />' . $filename ); }
Exploit Outline
1. Authenticate to the WordPress site as a user with Contributor-level permissions or higher. 2. Create a new 'Shared Files' post (post type: `shared_files`). 3. Identify the post ID of the newly created post. 4. Use a script or intercept the post save request to modify the post's metadata. Specifically, set the `_sf_file` (serialized array containing the 'file' key) or `_sf_filename` meta values to an absolute path targeting a sensitive file (e.g., `../../../../wp-config.php` or `/etc/passwd`). 5. Access the file download endpoint for the specific post: `[site-url]/shared-files/[post-id]/[any-filename]`. 6. The plugin's `SharedFilesAdminQuery::alter_the_query` function will trigger, retrieve the malicious path from the metadata, and serve the file contents to the browser.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.