CVE-2025-14632
📋 TL;DR
The Filr WordPress plugin allows authenticated administrators to upload malicious HTML files containing JavaScript due to insufficient file type validation. This stored XSS vulnerability enables attackers with admin privileges to execute arbitrary code when users access uploaded files. Only WordPress sites using Filr plugin versions up to 1.2.11 are affected.
💻 Affected Systems
- Filr – Secure document library WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leads to full site takeover, data theft, malware distribution to visitors, and complete defacement.
Likely Case
Malicious administrator uploads HTML files with JavaScript that executes in victims' browsers, potentially stealing session cookies or performing actions as authenticated users.
If Mitigated
With proper file upload restrictions and content security policies, impact is limited to file storage abuse without code execution.
🎯 Exploit Status
Exploitation requires admin privileges but is straightforward once authenticated. Attackers can upload HTML files directly through the vulnerable upload functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.12 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Filr plugin and click 'Update Now'. 4. Verify version is 1.2.12 or higher.
🔧 Temporary Workarounds
Restrict file upload permissions
allLimit 'filr' post type creation/editing to trusted administrators only
Implement web application firewall rules
allBlock HTML file uploads through the Filr plugin endpoint
🧯 If You Can't Patch
- Temporarily disable the Filr plugin until patching is possible
- Implement strict file upload validation at the web server level to reject HTML files
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Filr → Version. If version is 1.2.11 or lower, system is vulnerable.Check Version:
wp plugin list --name=filr --field=versionVerify Fix Applied:
After updating, confirm plugin version is 1.2.12 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML file uploads via Filr endpoints
- Multiple file upload attempts with different extensions
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=filr_upload containing HTML content
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters.action="filr_upload" AND (file_extension="html" OR file_extension="htm"))🔗 References
- https://plugins.trac.wordpress.org/browser/filr-protection/tags/1.2.10/src/class-filr-uploader.php#L14
- https://plugins.trac.wordpress.org/browser/filr-protection/trunk/src/class-filr-uploader.php#L14
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425333%40filr-protection&new=3425333%40filr-protection&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c16c3a8d-bae1-4729-86c8-ec13481ff187?source=cve
