CVE-2025-15433 PUBLISHED

Shared Files < 1.7.58 - Contributor+ Arbitrary File Download

Assigner: WPScan
Reserved: 01.01.2026 Published: 26.03.2026 Updated: 26.03.2026

The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector

Product Status

Vendor	Unknown
Product	Shared Files
Versions	Default: unaffected affected from 0 to 1.7.58 (excl.)

Credits

Muhammad Rohan khan finder
WPScan coordinator

References

https://wpscan.com/vulnerability/893667a1-dc8f-476a-ac00-55752fface90/

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE