Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.64 - Unauthenticated Path Traversal
Description
The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.64. This makes it possible for unauthenticated attackers to perform actions on files outside of the originally intended directory.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.7.65
Source Code
WordPress.org SVN# Vulnerability Research Plan: CVE-2026-49112 Unauthenticated Path Traversal ## 1. Vulnerability Summary The **Shared Files – Frontend File Upload Form & Secure File Sharing** plugin (<= 1.7.64) contains an unauthenticated path traversal vulnerability. The vulnerability exists in the handling of th…
Show full research plan
Vulnerability Research Plan: CVE-2026-49112 Unauthenticated Path Traversal
1. Vulnerability Summary
The Shared Files – Frontend File Upload Form & Secure File Sharing plugin (<= 1.7.64) contains an unauthenticated path traversal vulnerability. The vulnerability exists in the handling of the subdir parameter during frontend file operations (specifically the file upload process). Unauthenticated users can manipulate this parameter using traversal sequences (e.g., ../../) to cause the plugin to perform file actions (like saving an uploaded file) outside of the intended /wp-content/uploads/shared-files/ directory.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Action:
shared_files_upload_file(Unauthenticated AJAX action) - Vulnerable Parameter:
subdir - Authentication: Unauthenticated (accessible via
wp_ajax_nopriv_shared_files_upload_file) - Preconditions: The "Allow visitors to upload files without logging in" setting must be enabled, or the
[shared_files file_upload=1]shortcode must be present on a public page.
3. Code Flow
- Entry Point: A user submits a file via the frontend uploader. This triggers a
POSTrequest toadmin-ajax.phpwith the actionshared_files_upload_file. - Path Construction: The plugin calls `
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.