XSS Vulnerability in Shared Files Plugin for WordPress
CVE-2025-4392

7.2HIGH

Key Information:

Vendor

WordPress
Status
Shared Files – Frontend File Upload Form & Secure File Sharing
Vendor
CVE Published:
3 June 2025

What is CVE-2025-4392?

The Shared Files – Frontend File Upload Form & Secure File Sharing plugin is prone to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping during html file uploads. This vulnerability allows unauthenticated attackers to circumvent the plugin's MIME-type checks, enabling them to inject malicious web scripts. These scripts can execute when users access the compromised html files, potentially leading to further attacks and exploitation of the website.

Affected Version(s)

Shared Files – Frontend File Upload Form & Secure File Sharing * <= 1.7.48

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://github.com/anssilaitila/shared-files/blob/master/...
https://wordpress.org/plugins/shared-files/#developers

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Martin Martin
.