Shared Files < 1.7.58 – Contributor+ Arbitrary File Download | CVE 2025-15433 | Plugin Vulnerabilities

Description

The plugin allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector

Proof of Concept

1. Log in as a user with permission to create or edit "Shared Files" (e.g., contributor).
2. Add a Shared File.
3. Intercept the POST request to /wp-admin/post.php.
4. Modify the parameter "_sf_file_uploaded_file" to point to the site's wp-config.php (ex: /var/www/html/../../../wp-config.php)
5. Save/Update the post.
6. As an admin, publish the file. 
7. Visit the public download link for that file: http://mysite.local/shared-files/[POST_ID].
8. Result: The browser downloads wp-config.php

Affects Plugins

Fixed in 1.7.58

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Muhammad Rohan khan

Submitter

Muhammad Rohan khan

Verified

Yes

WPVDB ID

893667a1-dc8f-476a-ac00-55752fface90

Timeline

Publicly Published

2026-03-05 (about 21 days ago)

Added

2026-03-05 (about 21 days ago)

Last Updated

2026-03-05 (about 21 days ago)

Other

Published

Title

Published

2025-01-06

Title

Social Share Buttons for WordPress <= 2.7 - Unauthenticated Image Upload & Path Traversal

Published

2024-07-08

Title

Advanced File Manager Shortcodes < 2.4.1 - Authenticated (Contributor+) Directory Traversal

Published

2022-09-05

Title

Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal

Published

2022-09-15

Title

SearchWP Live Ajax Search < 1.6.3 - Unauthenticated Local File Inclusion

Published

2020-08-11

Title

Add From Server <= 3.3.3 - Authenticated Path Traversal to Arbitrary File Access