CVE-2025-4392
📋 TL;DR
The Shared Files WordPress plugin allows unauthenticated attackers to upload HTML files containing malicious JavaScript, which executes when users access those files. This stored XSS vulnerability affects all WordPress sites using plugin versions up to 1.7.48. Attackers can hijack user sessions, deface websites, or redirect visitors to malicious sites.
💻 Affected Systems
- Shared Files – Frontend File Upload Form & Secure File Sharing WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover through admin session hijacking, credential theft from all users, malware distribution to visitors, and persistent website defacement.
Likely Case
Session hijacking of logged-in users, website defacement via injected content, and redirection to phishing/malware sites.
If Mitigated
Limited to temporary disruption if proper WAF rules block malicious uploads and user sessions have short timeouts.
🎯 Exploit Status
Exploitation requires only uploading an HTML file with JavaScript payload. Public proof-of-concept exists in GitHub commits and WordPress trac.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.49 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3304053/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Shared Files' plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.7.49+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable HTML file uploads via .htaccess
linuxBlock HTML file uploads at web server level
Add to .htaccess: <FilesMatch "\.(html|htm)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Temporarily disable plugin
allDeactivate vulnerable plugin until patched
wp plugin deactivate shared-files
🧯 If You Can't Patch
- Disable the Shared Files plugin immediately
- Implement WAF rules to block HTML file uploads to the plugin's upload endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Shared Files version. If version is 1.7.48 or lower, system is vulnerable.Check Version:
wp plugin get shared-files --field=versionVerify Fix Applied:
Verify plugin version is 1.7.49 or higher in WordPress admin panel. Test uploading HTML file - should be blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- HTML file uploads to /wp-content/uploads/shared-files/
- Multiple failed upload attempts with .html extension
- Unusual file upload patterns from single IP
Network Indicators:
- POST requests to file upload endpoints with .html files
- Base64 encoded JavaScript in upload payloads
SIEM Query:
source="web_server" AND (uri_path="*shared-files*" AND file_extension=".html")🔗 References
- https://github.com/anssilaitila/shared-files/blob/master/admin/class-sf-admin-allow-more-file-types.php
- https://plugins.trac.wordpress.org/changeset/3304053/
- https://wordpress.org/plugins/shared-files/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/469a9c8a-0708-4c93-99d8-e9157a1f91f5?source=cve
