CVE-2024-13504 Overview
CVE-2024-13504 is a Stored Cross-Site Scripting (XSS) vulnerability in the Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress. The flaw affects all versions up to and including 1.7.42. The plugin fails to sanitize input and escape output when handling .dfxp file uploads. Unauthenticated attackers can upload a crafted .dfxp file containing arbitrary web scripts. Those scripts execute in the browser of any user who accesses the file. The issue is limited to Apache-based environments, where .dfxp files are served with a content type that triggers script execution by default. The weakness is tracked under CWE-79.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in the context of the WordPress site by uploading a malicious .dfxp file, enabling session theft, defacement, and redirection attacks.
Affected Products
- Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress
- All versions up to and including 1.7.42
- Apache-based hosting environments only
Discovery Timeline
- 2025-01-31 - CVE-2024-13504 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-13504
Vulnerability Analysis
The vulnerability resides in the file upload handler exposed by the Shared Files plugin. The plugin permits unauthenticated visitors to submit files through its frontend upload form. It accepts .dfxp files (Distribution Format Exchange Profile, an XML-based timed-text format) without sanitizing their content or escaping output when the file is later served. On Apache, .dfxp files are rendered with a MIME type that browsers interpret as renderable markup. When a victim opens the uploaded file URL, the embedded script executes in the origin of the WordPress site.
Because the attack does not require authentication or user interaction beyond visiting the uploaded file, exploitation is straightforward. The scope change in the impact rating reflects that injected scripts can affect resources beyond the vulnerable component, including authenticated administrator sessions.
Root Cause
The plugin code does not validate or sanitize the content of uploaded files against script payloads. It also relies on the web server default behavior to serve uploaded files. On Apache, the absence of an explicit handler or Content-Type override for .dfxp files causes the browser to treat embedded XML and HTML as renderable content. This combination of missing input sanitization [CWE-79] and permissive default file handling produces the stored XSS condition.
Attack Vector
An attacker submits a .dfxp file containing inline <script> tags or XML payloads with executable content through the public upload form. The plugin stores the file in the WordPress uploads directory. The attacker shares the resulting URL or waits for a legitimate user, including administrators, to access the file. The script executes in the victim's browser with the privileges of the WordPress origin, enabling cookie theft, CSRF actions, and arbitrary DOM manipulation.
The vulnerability is described in detail in the Wordfence Vulnerability Analysis and the WordPress Plugin ChangeSet 3231372 that introduced the fix.
Detection Methods for CVE-2024-13504
Indicators of Compromise
- Presence of .dfxp files in the WordPress uploads directory containing <script>, javascript:, or onerror= strings.
- HTTP POST requests to the plugin upload endpoint originating from unauthenticated sessions and carrying .dfxp payloads.
- Outbound requests from admin browsers to attacker-controlled domains shortly after accessing a .dfxp file URL.
- Unexpected creation or modification of administrator accounts following access to plugin-hosted files.
Detection Strategies
- Scan the wp-content/uploads directory for .dfxp files and inspect them for HTML or JavaScript content not consistent with timed-text data.
- Review Apache access logs for GET requests to .dfxp files paired with prior unauthenticated upload POST requests.
- Correlate file upload events with subsequent administrator session anomalies, such as new sessions from unfamiliar IP addresses.
Monitoring Recommendations
- Alert on uploads of uncommon file extensions including .dfxp, .svg, and .xml through public WordPress endpoints.
- Monitor WordPress administrator account creation, role changes, and plugin or theme modifications.
- Apply web application firewall rules that inspect file uploads for embedded script tags regardless of declared extension.
How to Mitigate CVE-2024-13504
Immediate Actions Required
- Update the Shared Files plugin to a version later than 1.7.42 immediately.
- Audit the wp-content/uploads directory for existing .dfxp files and remove any that contain script content.
- Rotate WordPress administrator credentials and invalidate active sessions if malicious files were accessed.
- Restrict the Shared Files upload form to authenticated users until the patch is applied.
Patch Information
The maintainers addressed the issue in the changeset published at WordPress Plugin ChangeSet 3231372. Reference the prior release at WordPress Plugin Version 1.7.40 to compare the vulnerable code path. Administrators should upgrade to the fixed release available through the WordPress plugin repository.
Workarounds
- Configure Apache to force a safe Content-Type for .dfxp files using AddType application/octet-stream .dfxp or ForceType application/octet-stream inside a <Files> directive.
- Block .dfxp uploads at the web application firewall or reverse proxy until the plugin is updated.
- Disable the Shared Files plugin if patching cannot be performed promptly.
# Apache configuration to neutralize .dfxp script execution
<FilesMatch "\.dfxp$">
ForceType application/octet-stream
Header set Content-Disposition "attachment"
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
