Stored Cross-Site Scripting in User Private Files Plugin for WordPress
CVE-2026-10093

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Secure Client Portal And Private File Sharing Plugin – User Private Files
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-10093?

The User Private Files plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) attacks due to inadequate input sanitization and output escaping in the 'fldr_ttl' parameter. This vulnerability allows authenticated users with subscriber-level access or higher to inject arbitrary web scripts. The malicious scripts may execute when any user accesses the compromised pages, potentially leading to unauthorized data exposure and site manipulation. It's crucial for site administrators to update the plugin to the latest version to mitigate this risk.

Affected Version(s)

Secure Client Portal and Private File Sharing Plugin – User Private Files 0 <= 2.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/user-private-f...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
May 29, 2026

Credit

pham quang huy

CVE-2026-10093 Data

JSON