Unauthorized File Access possible in File Manager Plugin for WordPress

CVE-2018-25105

9.8CRITICAL

Key Information

Vendor: Mndpsingh287
Status: File Manager
Vendor: CVE Published:; 16 October 2024

Summary

The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and upload arbitrary files that can be used for remote code execution.

Affected Version(s)

File Manager <= 3.0

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 16, 2024
Vulnerability Reserved.
Oct 15, 2024
Disclosed
Sep 17, 2018

Collectors

NVD DatabaseMitre Database