CVE-2024-13504: 
WordPress vulnerability analysis and mitigation

The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-13504) discovered in versions up to and including 1.7.42. The vulnerability was publicly disclosed on January 30, 2025, and was identified by security researcher Tim Coen (Wordfence).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79) that occurs due to insufficient input sanitization and output escaping when handling dfxp file uploads. The severity is rated as HIGH with a CVSS v3.1 base score of 7.2 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). This vulnerability specifically affects Apache-based environments where dfxp files are handled by default (NVD).

When exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the dfxp file. This can lead to potential compromise of user sessions, data theft, and other malicious activities typically associated with XSS attacks (NVD).

Website administrators running the affected versions of the Shared Files plugin should update to a version newer than 1.7.42 as soon as possible. For systems that cannot be immediately updated, considering disabling dfxp file upload functionality or implementing additional file upload restrictions may serve as temporary mitigation measures (NVD).