Secure Client Portal And Private File Sharing Plugin User Private Files
Monthly
Stored Cross-Site Scripting in the WordPress 'File Sharing & Download Manager - User Private Files' plugin (all versions through 2.1.6) allows authenticated attackers with subscriber-level access to persistently inject malicious JavaScript via the 'fldr_ttl' (folder title) parameter. The payload is stored server-side and executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing exists at time of analysis, but low privilege requirements (subscriber-level) expand the attacker pool significantly on sites with open registration.
Stored Cross-Site Scripting in the WordPress 'File Sharing & Download Manager - User Private Files' plugin (all versions through 2.1.6) allows authenticated attackers with subscriber-level access to persistently inject malicious JavaScript via the 'fldr_ttl' (folder title) parameter. The payload is stored server-side and executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing exists at time of analysis, but low privilege requirements (subscriber-level) expand the attacker pool significantly on sites with open registration.