CVE-2026-49112: WordPress Shared Files plugin <= 1.7.64 - Path Traversal vulnerability
Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A path traversal vulnerability affects the Shared Files WordPress plugin at version 1.7.64 and below. The flaw is reachable over the network without any authentication, allowing an unauthenticated remote attacker to request file paths outside the intended directory. Successful exploitation gives the attacker read access to arbitrary files on the server, enabling disclosure of sensitive data such as configuration files, credentials, or private user content. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images and pipeline builds. Coverage extends to custom-built images that bundle the Shared Files plugin alongside a WordPress installation.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.5 HIGH and weighting it further against each customer environment's compliance policy. Routed findings are delivered to the inbox configured for the affected team or service owner within each customer org.
AvailableBecause no fix version has been published by the vendor, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix version appears. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a fix is released.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationNot required
No account or session token is needed; the traversal request can be sent by any unauthenticated party.
- Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is involved.
- Attack complexityDetail
Exploitation is reliable and condition-free, requiring only a crafted path string in the request with no race conditions or special environmental factors.
Blast Radius
- Reads arbitrary files from the server filesystem, including WordPress wp-config.php which contains database credentials and authentication secret keys.
- Reads sensitive system files such as /etc/passwd or application environment files that expose infrastructure details.
- Discloses private uploaded content stored outside the web root if the server process has read access to those paths.
How HarborGuard Handles This
Available on HarborGuard: detection of this CVE is matched against all scanned images within minutes of publication, with no fix version currently available to remediate against. HarborGuard monitors the Patchstack advisory and the WordPress plugin repository on every ingest cycle, so the moment a patched version of Shared Files ships, a rebuilt image at that fix version becomes available. For customers with auto-remediation enabled, the rebuild, regression test run, and a PR opened against affected workloads will trigger automatically at that point. In the meantime, where compliance policy permits, recommended compensating controls include applying web-server or WAF rules to block path traversal patterns in request parameters, restricting the WordPress installation's filesystem read permissions to only directories required for normal operation, and isolating the affected service with network policy to limit which internal resources are reachable if the server process is abused.
- Tammersoft / Shared Files≤ 1.7.64
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N