Skip to main content

User Private Files EUVDEUVD-2026-37041

| CVE-2026-10093 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 Wordfence GHSA-r4jp-23x3-5jhg
6.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires a victim to visit the injected page (UI:R); all other metrics align with network-delivered, subscriber-authenticated, scope-changed impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 08:16 vuln.today
CVE Published
Jun 16, 2026 - 07:46 cve.org
MEDIUM 6.4

DescriptionNVD

The File Sharing & Download Manager - User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the WordPress 'File Sharing & Download Manager - User Private Files' plugin (all versions through 2.1.6) allows authenticated attackers with subscriber-level access to persistently inject malicious JavaScript via the 'fldr_ttl' (folder title) parameter. The payload is stored server-side and executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing exists at time of analysis, but low privilege requirements (subscriber-level) expand the attacker pool significantly on sites with open registration.

Technical ContextAI

The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a Stored XSS class where user-supplied input is persisted to a database and later rendered to HTML without adequate sanitization or output escaping. The affected plugin, identified via CPE cpe:2.3:a:deepakkite:secure_client_portal_and_private_file_sharing_plugin_-_user_private_files:*:*:*:*:*:*:*:*, handles private file and folder management for WordPress sites. The vulnerable 'fldr_ttl' parameter represents a folder title field processed by multiple template files: files-shared.php (lines 255, 260), files.php (lines 160, 165), render.php (line 68), and the folder function handler inc/functions-folder.php (line 463). None of these locations applied WordPress's standard esc_html() or esc_attr() output escaping before rendering the parameter into page HTML, allowing raw HTML/JavaScript to be written and later served to visiting users.

RemediationAI

Vendor-released patch: version 2.1.7. Site administrators should update the 'User Private Files' plugin to version 2.1.7 or later immediately via the WordPress admin dashboard (Plugins → Updates) or via WP-CLI using 'wp plugin update user-private-files'. The fix is confirmed by the Trac changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Fuser-private-files/tags/2.1.6&new_path=%2Fuser-private-files/tags/2.1.7. If immediate patching is not possible, a compensating control is to restrict WordPress user registration (Settings → General → uncheck 'Anyone can register') to eliminate the subscriber-level attack vector from external parties, though this does not protect against already-registered low-privilege users. A Web Application Firewall rule blocking script injection patterns in the 'fldr_ttl' POST parameter provides additional defense-in-depth but should not substitute for patching. Audit existing folder titles stored in the database for suspicious HTML or JavaScript content as part of incident response.

Share

EUVD-2026-37041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy