cleantalk
Vulnerabilities and Security Researches

WordPress File Sharing Plugin, CVE-2026-10093

CVE, Research URL

CVE-2026-10093

Home page URL

Security reports for WordPress File Sharing Plugin

Application

WordPress File Sharing Plugin

Published on
Jun 16, 2026
Research Description
The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.1.7.
Status
vulnerable
Previous vulnerability researches
myCred Elementor (CVE-2024-49702) , Oct 25, 2024
New vulnerability
Advanced 301 and 302 Redirect (CVE-2026-49067) , Jun 18, 2026
Abandoned Contact Form 7 (CVE-2026-9187) , Jun 18, 2026
ABC Crypto Checkout (CVE-2026-52695) , Jun 18, 2026
WordPress File Sharing Plugin (CVE-2026-10093) , Jun 18, 2026
Gallery Plugin for WordPress – Envira Photo Gallery (CVE-2026-54190) , Jun 18, 2026