Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N) yields arbitrary file read (C:H) without modifying or disrupting the system (I:N/A:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.
AnalysisAI
Unauthenticated path traversal in the Shared Files WordPress plugin (versions 1.7.64 and earlier) allows remote attackers to read arbitrary files outside the plugin's intended directory scope on the underlying WordPress host. The flaw is reachable without authentication over the network and carries a CVSS 7.5 with high confidentiality impact, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Disclosed by Patchstack, the bug primarily threatens sensitive files such as wp-config.php and other server-side secrets accessible to the web user.
Technical ContextAI
The affected component is the Shared Files plugin by tammersoft for WordPress (CPE cpe:2.3:a:tammersoft:shared_files), a file-sharing/download manager extension. The root cause is classified as CWE-35 (Path Traversal: '.../...//'), a variant of path traversal where the application fails to canonicalize or properly filter relative path segments before resolving a user-supplied filename against the filesystem. Because WordPress plugins typically expose download or preview handlers via admin-ajax.php or REST endpoints that accept a file identifier parameter, an attacker can supply traversal sequences to escape the plugin's upload directory and reach arbitrary files readable by the PHP/web-server process.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/shared-files/vulnerability/wordpress-shared-files-plugin-1-7-64-path-traversal-vulnerability) and upgrade Shared Files to the first release above 1.7.64 published by tammersoft on the WordPress plugin directory. If an upgraded version is not yet installable, deactivate and remove the Shared Files plugin entirely (the cleanest mitigation, at the cost of losing file-sharing functionality), or use a WAF/virtual-patching ruleset (Patchstack, Wordfence) to block requests containing traversal sequences such as '../', '..%2f', or encoded variants targeting the plugin's download/preview endpoint - this may produce false positives on legitimate filenames containing dots. Additionally rotate any secrets (DB password, WordPress salts in wp-config.php) if exposure is suspected, since path traversal read access could already have disclosed them.
More in Shared Files
View allThe Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded
The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which c
The Easy Download Manager and File Sharing Plugin with frontend file upload - a better Media Library - Shared Files Word
Same weakness CWE-35 – Path Traversal: '.../...//'
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36886
GHSA-r8mq-gf5f-f3j5