CVE-2025-4392 7.2 HIGH
Stored Cross-Site Scripting (XSS) via file upload in the Shared Files plugin allows unauthenticated attackers to inject malicious scripts that execute when users access uploaded files.
| Product | Shared Files – Frontend File Upload Form & Secure File Sharing |
|---|---|
| Affected Versions | ≤ 1.7.48 |
| Fixed Version | 1.7.49 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
| CWE | CWE-79 (Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)) |
| Published | 2025-06-03 |
| Active installs | 4,000+ |
Description
The Shared Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.7.48. The vulnerability exists in the sanitize_file() function, which only invokes its SVG sanitizer when finfo_file() reports the uploaded content as exactly image/svg+xml. An attacker can craft an SVG file with a leading blank line or non-SVG text comment that makes finfo classify it as text/plain instead, which is accepted by the plugin's allowed-MIME gate (text/plain is in WordPress core's allowed list via the .txt extension). The sanitizer's else branch then returns the raw bytes unchanged, the file is saved with a .svg extension, and the web server later serves it back as image/svg+xml based on the extension. Any browser that opens the file parses it as SVG and runs whatever script the SVG contains in the site's origin.
Impact
An unauthenticated attacker can store an SVG file whose JavaScript runs in the browser of any user who opens it from the Shared Files list, including site administrators. This leads to session hijacking, forced admin actions, exfiltration of admin-only data and account takeover via the admin's authenticated session.