CVE-2025-14632 in Filr Plugin
Summary
by MITRE • 01/17/2026
The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability identified as CVE-2025-14632 affects the Filr – Secure document library plugin for WordPress, presenting a critical stored cross-site scripting flaw that emerged from inadequate file type validation mechanisms. This security weakness exists within the FILR_Uploader class implementation where the plugin fails to properly restrict file uploads, allowing attackers to bypass intended security controls. The vulnerability specifically impacts all versions of the plugin up to and including version 1.2.11, creating a persistent threat vector that can be exploited by authenticated users possessing administrator-level privileges or higher.
The technical exploitation of this vulnerability stems from the plugin's insufficient input validation and sanitization processes within its file upload functionality. When administrators or users with appropriate permissions attempt to upload files through the plugin's interface, the system does not adequately verify the file types being submitted. This weakness allows malicious actors to upload HTML files containing embedded JavaScript code that will execute in the context of other users' browsers when they access the uploaded content. The vulnerability operates as a stored XSS attack because the malicious scripts are permanently stored on the server and executed each time the compromised file is accessed, rather than requiring a single request to trigger the payload.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent means of compromising user sessions and potentially escalating privileges within the WordPress environment. An attacker with administrator-level access can upload malicious files that will execute whenever any user with appropriate permissions views or interacts with the compromised documents. This creates a vector for session hijacking, credential theft, and potential lateral movement within the compromised WordPress installation. The vulnerability's reach is particularly concerning given that it affects the core document management functionality of the plugin, which is designed to provide secure file handling capabilities.
From a cybersecurity perspective, this vulnerability maps directly to CWE-434, which describes insecure file upload vulnerabilities where applications fail to validate or restrict file types properly. The attack pattern aligns with techniques described in the MITRE ATT&CK framework under the T1190 category for Exploit Public-Facing Application, where attackers leverage web application vulnerabilities to execute malicious code. The requirement for administrator-level access to exploit this vulnerability does not diminish its severity, as such privileges typically provide access to sensitive data and system controls. Organizations should implement immediate mitigations including plugin updates, enhanced file validation measures, and restricted user permissions to prevent unauthorized file uploads. The vulnerability highlights the critical importance of input validation and proper file type restrictions in web applications, particularly those handling document management and user-generated content.