CVE-2026-49112

Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.64 - Unauthenticated Path Traversal

mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.7.65
Patched in
6d
Time to patch

Description

The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.64. This makes it possible for unauthenticated attackers to perform actions on files outside of the originally intended directory.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.64
PublishedJune 5, 2026
Last updatedJune 10, 2026
Affected pluginshared-files

What Changed in the Fix

Changes introduced in v1.7.65

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Vulnerability Research Plan: CVE-2026-49112 Unauthenticated Path Traversal ## 1. Vulnerability Summary The **Shared Files – Frontend File Upload Form & Secure File Sharing** plugin (<= 1.7.64) contains an unauthenticated path traversal vulnerability. The vulnerability exists in the handling of th…

Show full research plan

Vulnerability Research Plan: CVE-2026-49112 Unauthenticated Path Traversal

1. Vulnerability Summary

The Shared Files – Frontend File Upload Form & Secure File Sharing plugin (<= 1.7.64) contains an unauthenticated path traversal vulnerability. The vulnerability exists in the handling of the subdir parameter during frontend file operations (specifically the file upload process). Unauthenticated users can manipulate this parameter using traversal sequences (e.g., ../../) to cause the plugin to perform file actions (like saving an uploaded file) outside of the intended /wp-content/uploads/shared-files/ directory.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: shared_files_upload_file (Unauthenticated AJAX action)
  • Vulnerable Parameter: subdir
  • Authentication: Unauthenticated (accessible via wp_ajax_nopriv_shared_files_upload_file)
  • Preconditions: The "Allow visitors to upload files without logging in" setting must be enabled, or the [shared_files file_upload=1] shortcode must be present on a public page.

3. Code Flow

  1. Entry Point: A user submits a file via the frontend uploader. This triggers a POST request to admin-ajax.php with the action shared_files_upload_file.
  2. Path Construction: The plugin calls `

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.