CVE-2018-25105 File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download
The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and upload arbitrary file...