File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal

Description The plugin does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files.

PoC

1. Go to settings page (/wordpress/wp-admin/admin.php?page=file-manager-settings). 2. In the “Root Folder Path” setting, change directory to /home or you can use Path Traversal /var/www/html/…/…/…/home or /var/www/html/wordpress/…/…/…/…/etc. 3. Then navigate to the page of plugin (/wordpress/wp-admin/admin.php?page=file-manager#elf_l1_Lw). 4. You will be able to list the files/folders outside of the WordPress root directory.