Skip to main content

Shared Files CVE-2026-49112

| EUVDEUVD-2026-36886 HIGH
Path Traversal: '.../...//' (CWE-35)
2026-06-15 Patchstack GHSA-r8mq-gf5f-f3j5
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N) yields arbitrary file read (C:H) without modifying or disrupting the system (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:32 vuln.today

DescriptionCVE.org

Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.

AnalysisAI

Unauthenticated path traversal in the Shared Files WordPress plugin (versions 1.7.64 and earlier) allows remote attackers to read arbitrary files outside the plugin's intended directory scope on the underlying WordPress host. The flaw is reachable without authentication over the network and carries a CVSS 7.5 with high confidentiality impact, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Disclosed by Patchstack, the bug primarily threatens sensitive files such as wp-config.php and other server-side secrets accessible to the web user.

Technical ContextAI

The affected component is the Shared Files plugin by tammersoft for WordPress (CPE cpe:2.3:a:tammersoft:shared_files), a file-sharing/download manager extension. The root cause is classified as CWE-35 (Path Traversal: '.../...//'), a variant of path traversal where the application fails to canonicalize or properly filter relative path segments before resolving a user-supplied filename against the filesystem. Because WordPress plugins typically expose download or preview handlers via admin-ajax.php or REST endpoints that accept a file identifier parameter, an attacker can supply traversal sequences to escape the plugin's upload directory and reach arbitrary files readable by the PHP/web-server process.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/shared-files/vulnerability/wordpress-shared-files-plugin-1-7-64-path-traversal-vulnerability) and upgrade Shared Files to the first release above 1.7.64 published by tammersoft on the WordPress plugin directory. If an upgraded version is not yet installable, deactivate and remove the Shared Files plugin entirely (the cleanest mitigation, at the cost of losing file-sharing functionality), or use a WAF/virtual-patching ruleset (Patchstack, Wordfence) to block requests containing traversal sequences such as '../', '..%2f', or encoded variants targeting the plugin's download/preview endpoint - this may produce false positives on legitimate filenames containing dots. Additionally rotate any secrets (DB password, WordPress salts in wp-config.php) if exposure is suspected, since path traversal read access could already have disclosed them.

Share

CVE-2026-49112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy