7 matches found
CVE-2020-25213
CVE-2020-25213 affects the WordPress WP-File-Manager plugin (versions 6.0–6.8; remediation to 6.9+). Root cause: renaming an unsafe elFinder connector file to .php allowed unauthenticated remote code execution via the plugin’s file-upload mechanism, enabling commands to write PHP into wp-content/...
CVE-2024-2654
CVE-2024-2654 refers to the WordPress File Manager plugin, affecting all versions up to 7.2.5. It enables Directory Traversal via fm_download_backup, allowing an authenticated attacker with administrator privileges to read the contents of arbitrary zip files on the server, potentially exposing se...
CVE-2024-1538
CVE-2024-1538 affects the WordPress File Manager plugin up to version 7.2.4. The root cause is missing or incorrect nonce validation on the wp_file_manager page that includes files via the 'lang' parameter, enabling unauthenticated attackers to cause local JavaScript inclusion and potentially ach...
CVE-2024-8918
CVE-2024-8918 affects the File Manager Pro WordPress plugin up to version 8.3.9. Root cause: insufficient checks on allowed file types permit unauthenticated attackers (with admin-granted permissions) to upload .css/.js files, enabling Stored Cross-Site Scripting. Impact: potential data/website s...
CVE-2021-24177
CVE-2021-24177: Reflected XSS in the WordPress File Manager plugin (pre-7.1) on /wp-admin/admin.php?page=wp_file_manager_properties where a payload submitted in the User-Agent header is reflected in the response. Affected product: WordPress File Manager plugin (default configuration). CVSS eviden...
CVE-2024-8746
CVE-2024-8746 affects the WordPress plugin File Manager Pro (versions ≤ 8.3.9). The vulnerability stems from missing file type validation in the mk_file_folder_manager_shortcode AJAX action, allowing unauthenticated attackers (if granted admin-approval) to download and upload arbitrary backup fil...
CVE-2024-8507
The CVE-2024-8507 entry concerns the WordPress plugin File Manager Pro (