CVE-2025-4392: 
WordPress vulnerability analysis and mitigation

The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress (versions up to 1.7.48) contains a Stored Cross-Site Scripting vulnerability. The vulnerability exists due to insufficient input sanitization and output escaping within the sanitize_file() function, which allows unauthenticated attackers to bypass the plugin's MIME-only checks and inject arbitrary web scripts that execute when users access HTML files (NVD CVE, WordPress Plugin).

The vulnerability is present in the sanitize_file() function within the plugin's file handling mechanism. The function fails to properly validate and sanitize HTML file uploads, allowing attackers to bypass MIME-type checks. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges (NVD CVE).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when accessing uploaded HTML files. This can lead to various attacks including cookie theft, session hijacking, and other client-side attacks that could compromise user security (NVD CVE).

The vulnerability has been patched in version 1.7.49 of the plugin. Users are strongly advised to update to this version immediately. The update includes improved input sanitization and output escaping mechanisms in the sanitize_file() function (WordPress Plugin).