Filr
Moderate fix1 remedy
cpe:2.3:a:filr_project:filr:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.2.11
Filr WordPress Plugin Stored Cross-Site Scripting Vulnerability via Unrestricted File Upload
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Filr – Secure Document Library plugin for WordPress, affecting all versions up to and including 1.2.11. The issue arises from insufficient file type restrictions in the FILR_Uploader class, allowing authenticated attackers with Administrator-level access to upload malicious HTML files. These files can execute JavaScript when accessed by users with permission to create or edit posts of the 'filr' post type.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded malicious HTML files execute JavaScript in the context of the user accessing the file.
Reproduction
To reproduce this vulnerability, an authenticated user with Administrator-level access can upload a file through the plugin's file upload feature. The uploaded file can be a malicious HTML file containing JavaScript. Once the file is uploaded, any user with permission to create or edit 'filr' posts can access the file, triggering the execution of the embedded JavaScript.
Remediation
Users are advised to update the Filr – Secure Document Library plugin to version 1.2.12 or a newer patched version.
Added: Jan 17, 2026, 3:19 AM
Updated: Jan 17, 2026, 3:19 AM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
1.7exploitability
5.7remediation
7.7relevance
2.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.