Shared Files < 1.7.6 – Unauthenticated Stored Cross-Site Scripting | CVE 2023-4819 | Plugin Vulnerabilities

Description

The plugin does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts.

Proof of Concept

Upload an allowed WordPress extension such as JPG and inject it with a script such as: <script>alert(1);</script>. To access the resource, the uploaded file ID can be seen in the source code of the (Preview) button under data-file-url as such: /shared-files/{FILE_ID}/?xss.jpg and can be triggered using HTTP://url.com/shared-files/{FILE_ID}/?xss.jpg

Affects Plugins

Fixed in 1.7.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Zeyad Alshahrani

Submitter

Zeyad Alshahrani

Submitter website

https://github.com/ViktaVaughn

Verified

Yes

WPVDB ID

4423b023-cf4a-46cb-b314-7a09ac08b29a

Timeline

Publicly Published

2023-09-21 (about 2 years ago)

Added

2023-09-21 (about 2 years ago)

Last Updated

2023-09-25 (about 2 years ago)

Other

Published

Title

Published

2025-03-24

Title

NextGEN Gallery Voting <= 2.7.6 - Reflected Cross-Site Scripting

Published

2024-07-19

Title

Category Posts Widget (Free < 4.9.17, Pro < 4.9.13) - Admin+ Stored XSS

Published

2023-06-03

Title

Don8 <= 0.4 - Admin+ Stored XSS

Published

2024-02-07

Title

Elementor Addons by Livemesh < 8.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-10-10

Title

WordPress Live Webcam Widget & Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting