OS Command Injection Vulnerability in FileOrganizer and Other WordPress Plugins
CVE-2026-6382

Currently unrated

Key Information:

Vendor

WordPress

Vendor
CVE Published:
6 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-6382?

Certain WordPress plugins, including FileOrganizer, Advanced File Manager, File Manager Pro, and File Manager, have a vulnerability due to insufficient input escaping before executing shell commands during image operations. This flaw allows authenticated users to potentially execute arbitrary commands on the server. For exploitation, the ImageMagick convert command-line interface must be available on the server, without the PHP imagick or GD extensions being enabled.

Affected Version(s)

Advanced File Manager 0 < 5.4.12

File Manager 0 < 8.0.4

File Manager Pro 0 < 2.1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

mcdruid
WPScan
.