Skip to main content

Shared Files

4 CVEs product

Monthly

CVE-2026-49112 HIGH This Week

Unauthenticated path traversal in the Shared Files WordPress plugin (versions 1.7.64 and earlier) allows remote attackers to read arbitrary files outside the plugin's intended directory scope on the underlying WordPress host. The flaw is reachable without authentication over the network and carries a CVSS 7.5 with high confidentiality impact, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Disclosed by Patchstack, the bug primarily threatens sensitive files such as wp-config.php and other server-side secrets accessible to the web user.

Path Traversal Shared Files
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2023-4819 MEDIUM POC This Month

The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Shared Files
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-24856 MEDIUM POC This Month

The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Shared Files
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24736 MEDIUM POC This Month

The Easy Download Manager and File Sharing Plugin with frontend file upload - a better Media Library - Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS File Upload Shared Files
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated path traversal in the Shared Files WordPress plugin (versions 1.7.64 and earlier) allows remote attackers to read arbitrary files outside the plugin's intended directory scope on the underlying WordPress host. The flaw is reachable without authentication over the network and carries a CVSS 7.5 with high confidentiality impact, though no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Disclosed by Patchstack, the bug primarily threatens sensitive files such as wp-config.php and other server-side secrets accessible to the web user.

Path Traversal Shared Files
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Shared Files
NVD WPScan
EPSS 1% CVSS 4.8
MEDIUM POC This Month

The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Shared Files
NVD WPScan
EPSS 1% CVSS 4.8
MEDIUM POC This Month

The Easy Download Manager and File Sharing Plugin with frontend file upload - a better Media Library - Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS File Upload +1
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy