Volerion logoVolerion
Volerion logoVolerion

User Private Files WordPress Plugin Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in the User Private Files – File Upload & Download Manager with Secure File Sharing plugin for WordPress, affecting all versions through 2.1.3. The vulnerability arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts. These scripts are executed when a user accesses the compromised page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can upload a new folder through the WordPress dashboard. During this process, the 'new-fldr-name' parameter can be manipulated to include malicious scripts. Once the folder is created, the injected script will execute whenever a user accesses the folder page.

Remediation

Users are advised to update the User Private Files WordPress plugin to version 2.1.4 or later.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
1.7
exploitability
6.2
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.