OS Command Injection Vulnerability in FileOrganizer and Other WordPress Plugins
CVE-2026-6382
Currently unrated
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 6 July 2026
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2026-6382?
Certain WordPress plugins, including FileOrganizer, Advanced File Manager, File Manager Pro, and File Manager, have a vulnerability due to insufficient input escaping before executing shell commands during image operations. This flaw allows authenticated users to potentially execute arbitrary commands on the server. For exploitation, the ImageMagick convert command-line interface must be available on the server, without the PHP imagick or GD extensions being enabled.
Affected Version(s)
Advanced File Manager 0 < 5.4.12
File Manager 0 < 8.0.4
File Manager Pro 0 < 2.1.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.