Home

Description

The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector

PUBLISHED Reserved 2026-01-01 | Published 2026-03-26 | Updated 2026-03-26 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 1.7.58
affected

Credits

Muhammad Rohan khan finder

WPScan coordinator

References

wpscan.com/...rability/893667a1-dc8f-476a-ac00-55752fface90/ exploit vdb-entry technical-description

cve.org (CVE-2025-15433)

nvd.nist.gov (CVE-2025-15433)

Download JSON