Title: Mikesoft TeamVault Author: Michael Gasperini Published: April 10, 2026 Last modified: April 10, 2026 --- Search plugins ![](https://ps.w.org/mikesoft-teamvault/assets/banner-772x250.png?rev=3503199) ![](https://ps.w.org/mikesoft-teamvault/assets/icon.svg?rev=3503199) # Mikesoft TeamVault By [Michael Gasperini](https://profiles.wordpress.org/thestreamcode/) [Download](https://downloads.wordpress.org/plugin/mikesoft-teamvault.1.1.31.zip) * [Details](https://wordpress.org/plugins/mikesoft-teamvault/#description) * [Reviews](https://wordpress.org/plugins/mikesoft-teamvault/#reviews) * [Installation](https://wordpress.org/plugins/mikesoft-teamvault/#installation) * [Development](https://wordpress.org/plugins/mikesoft-teamvault/#developers) [Support](https://wordpress.org/support/plugin/mikesoft-teamvault/) ## Description Mikesoft TeamVault helps teams manage confidential documents in a protected storage area outside the normal WordPress Media Library workflow. Perfect for sharing files with partners, clients, or team members within your own hosting environment. Files are stored in a private directory and delivered only through authenticated WordPress handlers. The plugin includes folder management, previews, access control, activity logs, and export tools in a modern admin interface. **Main features:** * Protected private storage outside the Media Library flow * Shared access for teams, partners, and clients * Role-based and user-specific access control * Folder creation, rename, move, and delete operations * Drag-and-drop uploads with image and PDF previews * ZIP export for the full library or a specific folder * Activity logging for uploads, downloads, moves, and deletes * Orphaned-record detection and cleanup after local or staging migrations * English default interface with optional Italian translation * Multisite-aware database tables and secure file streaming The plugin does not require any external service to work. ### Security Considerations This plugin includes multiple WordPress.org-friendly security measures: * Capability-based access checks * WordPress nonce validation for mutating REST requests * Deep upload validation for extension, MIME type, size, and dangerous content patterns * Path boundary validation on the server side * Authenticated preview, download, and export handlers * Private storage protected from direct public access ### Credits Author: Michael Gasperini – https://mikesoft.it Supported languages: English, Italian ## Installation 1. Upload the `mikesoft-teamvault` folder to `/wp-content/plugins/` 2. Activate the plugin from the WordPress Plugins screen 3. The plugin creates its database tables and private storage directory automatically 4. Administrators and Editors receive the `manage_private_documents` capability by default 5. Open **TeamVault** in the WordPress admin menu ## FAQ ### Are the files really private? Yes. Files are stored in a protected directory and are not served through public direct URLs. Access is checked before preview, download, and export operations. ### Can I use selected users instead of roles? Yes. In the plugin settings you can enable a user whitelist and grant access only to selected WordPress users. ### Can I change the storage directory? Yes. You can configure a custom writable path in the plugin settings. ### What file types are supported? By default the plugin allows common office documents, images, archives, text files, and media files. You can customize the allowed extensions in the settings. ### Why do I see files listed but they cannot be opened after a local migration? The plugin stores binaries in its private storage directory, not in the Media Library. If you move the database without copying `wp-content/uploads/private-documents/`( or your custom storage path), the database records remain but the physical files are missing. The settings page includes a maintenance tool to clean orphaned records. ### What happens on uninstall? You can choose whether all plugin data should be removed on uninstall. By default the cleanup option is disabled for safety. ### Is an Italian interface available? Yes. The plugin uses English by default and includes an Italian interface option in the settings. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Mikesoft TeamVault” is open source software. The following people have contributed to this plugin. Contributors * [ Michael Gasperini ](https://profiles.wordpress.org/thestreamcode/) [Translate “Mikesoft TeamVault” into your language.](https://translate.wordpress.org/projects/wp-plugins/mikesoft-teamvault) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/mikesoft-teamvault/), check out the [SVN repository](https://plugins.svn.wordpress.org/mikesoft-teamvault/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/mikesoft-teamvault/) by [RSS](https://plugins.trac.wordpress.org/log/mikesoft-teamvault/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.1.31 * Security/compliance: normalized whitelist POST arrays with immediate `wp_unslash()` + `absint()` casting for both `mstv_allowed_users` and legacy `pdm_allowed_users` * Validation: re-ran Plugin Check and confirmed no remaining warnings for whitelist input sanitization #### 1.1.30 * Fixed User Access whitelist toggle wiring so the Authorized users selector appears correctly * Fixed whitelist selected-user save flow by aligning hidden field names with backend processing * Added compatibility fallback for legacy cached admin JS posting `pdm_allowed_users[]` * Updated whitelist POST array sanitization (`wp_unslash` + `absint`) to satisfy Plugin Check input validation * Completed staging QA validation across whitelist access control, file operations, maintenance actions, export, and uninstall setting persistence #### 1.1.29 * Added the TeamVault logo to the admin sidebar header on desktop and mobile * Finalized the first WordPress.org release packaging and distribution flow #### 1.1.28 * Security: replaced !empty() with wp_validate_boolean() for all boolean form inputs in settings handling * Security: replaced (bool) cast with wp_validate_boolean() in REST API settings updates * Security: added dedicated nonce verification for export selection with explicit check * Compliance: added wp_unslash() to all $_POST handling and PHPCS ignore comments for wp_validate_boolean * Compliance: added PHPCS ignore comments for orderClause in repository files ( whitelist-sanitized values) * Enhancement: added TeamVault logo SVG to sidebar header in file manager * Refactor: extracted create_protection_files() to MSTV_Helpers to eliminate code duplication * Refactor: simplified repository files queries with build_order_clause() method * Refactor: removed side-effect from MSTV_Storage constructor, explicit directory creation * Refactor: injected MSTV_Settings into MSTV_Logger and MSTV_Assets via constructor * Refactor: moved data access logic from logs-page view to admin controller * Compliance: eliminated redundant MSTV_Settings instantiations in view templates #### 1.1.27 * Security: added proper sanitization for uploaded file arrays (sanitize_file_name, sanitize_mime_type, sanitize_text_field) * Security: replaced FILTER_DEFAULT with proper sanitization for folder_ids array * Security: added detailed PHPCS ignore comments explaining nonce verification patterns * Compliance: prefixed all global variables in templates with “mstv_” * Compliance: prefixed all dynamic hook names with “mstv_” via class constants * Compliance: changed all prefixes from “pdm” to “mstv” (4+ character requirement) * Compliance: updated all WordPress options from “pdm__” to “mstv\__” for uniqueness * Fix: corrected JavaScript config variable from “pdmConfig” to “mstvConfig” * Fix: resolved syntax error in settings class (ternary operator compatibility) #### 1.1.26 * Kept the mobile header toolbar on a single row by compacting filters and action controls * Reduced the mobile footprint of the Upload and Export buttons for a cleaner responsive header #### 1.1.25 * Fixed file rename fallback handling for legacy records with empty display names * Added safer display-name fallback resolution during upload, reindex, browser payload formatting, and rename flows * Tightened the file rename request handling and added regression coverage for the rename path #### 1.1.24 * Renamed the plugin branding to Mikesoft TeamVault and aligned the release package with the new slug * Removed SVG from default allowed uploads, blocked unsafe inline preview paths, and enforced the PDF preview setting * Fixed nested folder rename path updates so descendant files keep working after folder renames * Rejected invalid destination folder IDs instead of silently falling back to the root folder * Improved admin UI consistency, mobile details controls, and release hardening files #### 1.1.23 * Refined the mobile file manager with off-canvas navigation, responsive filters, and sidebar scrolling * Fixed rename validation edge cases and several Italian translation issues #### 1.1.22 * Fixed Plugin Check compliance issues in filesystem operations, schema migration safety, and packaging #### 1.1.21 * Hardened whitelist enforcement so role-based access and user whitelists are applied consistently across REST, admin screens, and streamed handlers * Normalized legacy log target types, improved storage cleanup safety, and switched file delivery to chunked streaming for large exports and previews #### 1.1.20 * Added clearer move-destination selection feedback and restored the root node in the sidebar tree * Completed the latest Italian translation review for pagination, maintenance, export, and storage recovery strings #### 1.1.19 * Fixed the remaining Plugin Check findings in uninstall cleanup and admin request sanitization paths #### 1.1.18 * Added automatic storage self-healing on browser load and folder creation so missing database records are restored without manual maintenance steps #### 1.1.17 * Added maintenance reindex to restore folder and file records from the storage directory when database entries are missing * Restored creation of folders whose physical directory still exists after uninstall or partial cleanup #### 1.1.16 * Restored folder creation when a directory already exists on disk but its database record was removed #### 1.1.13 * Fixed Plugin Check issues around paginated queries, admin request sanitization, and filesystem fallbacks * Normalized line endings across the plugin files flagged by the report #### 1.1.12 * Simplified the export modal to two choices only: export all or export selected folders #### 1.1.11 * Removed create/upload reliance on the WordPress filesystem abstraction for local file writes to improve compatibility on local environments * Improved admin API error parsing so critical backend responses surface a readable message in the UI #### 1.1.10 * Added export choices for the full library, the current folder, or selected folders directly from the export modal * Fixed the sort-order button icon so it matches ascending and descending states correctly * Added live filesystem metadata fallback for preview and download streams to reduce issues with stale stored metadata #### 1.1.9 * Fixed upload validation regressions that could block new file uploads * Fixed duplicate upload controls shown inside the upload overlay * Added runtime self-healing for the private storage directory * Added live filesystem metadata fallback so existing files keep working even if stored MIME or size metadata is stale * Marked missing binaries clearly in the file manager and disabled invalid preview/ download actions * Added a settings maintenance action to clean orphaned file records after local migrations #### 1.1.8 * Standardized the main plugin interface and project documentation around English source text * Refined contribution and README documentation for a more professional release presentation * Repaired internal naming regressions introduced during the language normalization pass #### 1.1.7 * Improved binary streaming handlers for preview, download, and ZIP export * Improved custom table handling and whitelist capability cleanup * Hardened allowed extensions sanitization in admin settings #### 1.1.6 * Fixed Windows path normalization in filesystem boundary checks * Resolved false “Invalid destination path” upload failures caused by mixed slash formats * Improved upload compatibility for root and nested folder destinations on local Windows environments #### 1.1.5 * Fixed internal drag and drop so files can be moved reliably into folders * Added drop targets for content folders, sidebar tree folders, and the root breadcrumb * Prevented internal drag operations from incorrectly opening the upload overlay #### 1.1.4 * Moved folder and file quick actions from hover overlays into the details sidebar * Clicking a folder now selects it and shows actions in the sidebar; double-click opens it * Simplified card and list layouts by removing inline hover action areas #### 1.1.3 * Improved translator comments for placeholder-based strings * Reworked file query ordering for safer database access patterns * Replaced remaining streamed `readfile()` usage with filesystem-backed reads * Improved server input handling in admin settings and repository logs #### 1.1.2 * Improved admin view escaping and packaging metadata * Reworked streamed preview and download handlers to use authenticated admin-post endpoints with dedicated nonce support * Reworked filesystem operations and upload handling for better WordPress compatibility * Fixed settings form handling with safer input unslashing, redirects, and transient- based success notice * Added `languages/` directory support and removed deprecated manual textdomain loading #### 1.1.1 * Security: REST API now enforces WordPress REST nonce validation in permission checks * Security: Removed nonce usage from preview image URLs in the admin UI * Security: Hardened download and preview filename sanitization against header injection * Security: Strengthened filesystem base-path boundary validation * Security: Rejects dangerous double-extension uploads like `file.php.pdf` * Security: Added destination path checks before storing files and folders * Fixed: Streamed download and preview URLs now use secure admin-post handlers * Fixed: Multisite uninstall now cleans site-specific tables and options correctly * Improved: Folder repository now caches tree and all-folder lookups during the request lifecycle * Improved: Export modal flow now submits through admin-post with a dedicated stream nonce * Added: Hooks are now wired into upload, rename, delete, move, preview, download, export, and folder operations #### 1.1.0 * Security: Fixed path traversal vulnerability in the filesystem layer * Security: Added content sniffing to detect polyglot and malicious uploads * Security: Improved upload validation with full content scanning * Fixed: Multisite compatibility for plugin tables * Fixed: ZIP export cleanup on failure with a shutdown handler * Added: Developer hooks and filters for extensibility For older release history, see `changelog.txt` in the plugin package. ## Meta * Version **1.1.31** * Last updated **19 hours ago** * Active installations **Fewer than 10** * WordPress version ** 6.0 or higher ** * Tested up to **6.9.4** * PHP version ** 8.0 or higher ** * Tags * [collaboration](https://wordpress.org/plugins/tags/collaboration/)[documents](https://wordpress.org/plugins/tags/documents/) [file manager](https://wordpress.org/plugins/tags/file-manager/)[privacy](https://wordpress.org/plugins/tags/privacy/) [secure](https://wordpress.org/plugins/tags/secure/) * [Advanced View](https://wordpress.org/plugins/mikesoft-teamvault/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/mikesoft-teamvault/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/mikesoft-teamvault/reviews/) ## Contributors * [ Michael Gasperini ](https://profiles.wordpress.org/thestreamcode/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/mikesoft-teamvault/)