[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frmupYnfO5oEJVxNnMl_jtNyI25KyepS2eZVHpj8oGD4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2025-15433","shared-files-frontend-file-upload-form-secure-file-sharing-authenticated-contributor-arbitrary-file-download","Shared Files – Frontend File Upload Form & Secure File Sharing \u003C 1.7.58 - Authenticated (Contributor+) Arbitrary File Download","The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Path Traversal in all versions up to 1.7.58 (exclusive). This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.","shared-files",null,"\u003C1.7.58","1.7.58","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-03-30 00:00:00","2026-04-09 16:26:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe9b3f1ff-4f8b-45ec-90eb-1a75353654e3?source=api-prod",11,[22,23,24,25],"README.txt","admin\u002Fclass-sf-admin-query.php","languages\u002Fshared-files.pot","shared-files.php","researched",false,3,"This plan outlines the research and exploitation strategy for CVE-2025-15433, a path traversal vulnerability in the \"Shared Files\" WordPress plugin.\n\n### 1. Vulnerability Summary\nThe **Shared Files** plugin (versions \u003C 1.7.58) fails to properly sanitize or validate file paths stored in the metadata of its `shared_files` Custom Post Type (CPT). When a file is requested via the plugin's custom URL routing, the `SharedFilesAdminQuery::alter_the_query` function retrieves the file path from the `_sf_file` or `_sf_filename` post meta and serves it using standard file system functions.\n\nBecause authenticated users with **Contributor-level** permissions can create and manage their own `shared_files` posts, they can manipulate the associated metadata to point to sensitive system files (e.g., `wp-config.php`). The plugin then serves these files to the attacker through its download handler.\n\n### 2. Attack Vector Analysis\n- **Vulnerable Endpoint**: Any URL matching the plugin's routing pattern: `[site-url]\u002Fshared-files\u002F[post-id]\u002F[filename]`\n- **Vulnerable Function**: `SharedFilesAdminQuery::alter_the_query` in `admin\u002Fclass-sf-admin-query.php`.\n- **Preconditions**:\n - Authenticated as a Contributor or higher.\n - Ability to create\u002Fedit a post of type `shared_files`.\n- **Payload**: A path traversal string (e","The Shared Files plugin for WordPress is vulnerable to Path Traversal due to insufficient validation of file paths stored in the metadata of 'shared_files' posts. Authenticated attackers with Contributor-level access can manipulate these metadata fields to point to sensitive system files, which are then served for download by the plugin's query handler.","\u002F\u002F admin\u002Fclass-sf-admin-query.php (approx. lines 122-140 in version 1.7.57)\n$file = get_post_meta( $file_id, '_sf_file', true );\n$filename_fallback = get_post_meta( $file_id, '_sf_filename', true );\n\nif ( $external_url ) {\n \u002F\u002F ... external redirect logic ...\n} elseif ( $file || $filename_fallback ) {\n $redirect = 0;\n if ( isset( $s['file_open_method'] ) && $s['file_open_method'] == 'redirect' ) {\n $redirect = 1;\n }\n $filename = '';\n if ( isset( $file['file'] ) ) {\n $filename = SharedFilesFileOpen::getUpdatedPathAndFilename( sanitize_text_field( $file['file'] ) );\n } elseif ( $filename_fallback ) {\n \u002F\u002F ... construction of $filename from $filename_fallback ...\n $filename = SharedFilesFileOpen::getUpdatedPathAndFilename( sanitize_text_field( $filename_with_path_fallback ) );\n }\n \n \u002F\u002F The plugin proceeds to serve $filename without verifying it is inside the uploads directory.","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshared-files\u002F1.7.57\u002Fadmin\u002Fclass-sf-admin-query.php\t2025-08-19 11:09:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fshared-files\u002F1.7.58\u002Fadmin\u002Fclass-sf-admin-query.php\t2026-01-14 13:48:12.000000000 +0000\n@@ -131,6 +131,20 @@\n echo '\u003Cpre>' . var_dump( esc_html( $filename_fallback ) ) . '\u003C\u002Fpre>';\n wp_die();\n }\n+ $wp_upload_dir = wp_upload_dir();\n+ $sf_upload_dir = $wp_upload_dir['basedir'] . DIRECTORY_SEPARATOR . 'shared-files' . DIRECTORY_SEPARATOR;\n+ $realFilePath = realpath( $filename );\n+ $realBasePath = realpath( $sf_upload_dir ) . DIRECTORY_SEPARATOR;\n+ if ( $realFilePath === false || strpos( $realFilePath, $realBasePath ) !== 0 ) {\n+ echo '\u003Cpre>ERROR CODE: 200152\u003C\u002Fpre>';\n+ if ( is_super_admin() ) {\n+ echo '\u003Cpre>' . esc_html__( 'Debug info for admin:', 'shared-files' ) . '\u003C\u002Fpre>';\n+ echo '\u003Cpre>' . esc_html( var_dump( $filename ) ) . '\u003C\u002Fpre>';\n+ echo '\u003Cpre>' . esc_html( var_dump( $realFilePath ) ) . '\u003C\u002Fpre>';\n+ echo '\u003Cpre>' . esc_html( var_dump( $realBasePath ) ) . '\u003C\u002Fpre>';\n+ }\n+ wp_die();\n+ }\n if ( !$redirect && (!isset( $filename ) || !file_exists( $filename )) ) {\n wp_die( esc_html__( 'File not found:', 'shared-files' ) . '\u003Cbr \u002F>' . $filename );\n }","1. Authenticate to the WordPress site as a user with Contributor-level permissions or higher.\n2. Create a new 'Shared Files' post (post type: `shared_files`).\n3. Identify the post ID of the newly created post.\n4. Use a script or intercept the post save request to modify the post's metadata. Specifically, set the `_sf_file` (serialized array containing the 'file' key) or `_sf_filename` meta values to an absolute path targeting a sensitive file (e.g., `..\u002F..\u002F..\u002F..\u002Fwp-config.php` or `\u002Fetc\u002Fpasswd`).\n5. Access the file download endpoint for the specific post: `[site-url]\u002Fshared-files\u002F[post-id]\u002F[any-filename]`.\n6. The plugin's `SharedFilesAdminQuery::alter_the_query` function will trigger, retrieve the malicious path from the metadata, and serve the file contents to the browser.","gemini-3-flash-preview","2026-04-17 22:23:18","2026-04-17 22:24:11",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.7.57","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshared-files\u002Ftags\u002F1.7.57","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshared-files.1.7.57.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshared-files\u002Ftags\u002F1.7.58","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fshared-files.1.7.58.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fshared-files\u002Ftags"]