CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43230 – WordPress Shared Files – Premium Download Manager & Secure File Sharing with Frontend File Upload plugin <= 1.7.28 - Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-43230
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Shared Files – File Upload Form Shared Files.This issue affects Shared Files: from n/a through 1.7.28. The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.28 via the export functionality and lack of protected directory. This makes it possible for unauthenticated attackers to extract sensitive data information from export files generated by the plugin. • https://patchstack.com/database/vulnerability/shared-files/wordpress-shared-files-premium-download-manager-secure-file-sharing-with-frontend-file-upload-plugin-1-7-28-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34438 – Shared Files <= 1.7.19 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-34438
The Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads & Lead Generation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.19. This makes it possible for unauthenticated attackers to perform an unauthorized action. • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32679 – WordPress Shared Files plugin <= 1.7.16 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32679
Missing Authorization vulnerability in Shared Files PRO Shared Files.This issue affects Shared Files: from n/a through 1.7.16. Vulnerabilidad de autorización faltante en Shared Files PRO Shared Files. Este problema afecta a Shared Files: desde n/a hasta 1.7.16. The Shared Files plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_notifications function in versions up to, and including, 1.7.16. This makes it possible for unauthenticated attackers to dismiss notices. • https://patchstack.com/database/vulnerability/shared-files/wordpress-shared-files-plugin-1-7-16-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4819 – Shared Files < 1.7.6 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-4819
The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts. El complemento Shared Files de WordPress anterior a 1.7.6 no devuelve el encabezado de tipo de contenido correcto para el archivo cargado especificado. Por lo tanto, un atacante puede cargar una extensión de archivo permitida inyectada con scripts maliciosos. The Shared Files – Advanced File Sharing & Download Manager with Frontend Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded file content in all versions up to, and including, 1.7.5 due to the plugin not returning the correct 'Content-Type' header when viewing uploaded files. • https://wpscan.com/vulnerability/4423b023-cf4a-46cb-b314-7a09ac08b29a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24856 – Shared Files < 1.6.61 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24856
The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El plugin Shared Files de WordPress versiones anteriores a 1.6.61, no sanea ni escapa de la configuración del texto del contador de descargas, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida • https://mikadmin.fr/tech/XSS-Stored-Shared-Files-a837703ad010d111be11ffdf478aa6114F0lK656bV.pdf https://wpscan.com/vulnerability/8fd483fb-d399-4b4f-b4ef-bbfad1b5cf1b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •