XSS Vulnerability in Shared Files Plugin for WordPress
CVE-2025-4392

7.2HIGH

Key Information:

Vendor: WordPress
Status: Shared Files – Frontend File Upload Form & Secure File Sharing
Vendor: CVE Published:; 3 June 2025

What is CVE-2025-4392?

The Shared Files – Frontend File Upload Form & Secure File Sharing plugin is prone to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping during html file uploads. This vulnerability allows unauthenticated attackers to circumvent the plugin's MIME-type checks, enabling them to inject malicious web scripts. These scripts can execute when users access the compromised html files, potentially leading to further attacks and exploitation of the website.

Affected Version(s)

Shared Files – Frontend File Upload Form & Secure File Sharing * <= 1.7.48

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://github.com/anssilaitila/shared-files/blob/master/...

https://wordpress.org/plugins/shared-files/#developers

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
May 6, 2025

Credit

Martin Martin