The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and upload arbitrary files that can be used for remote code execution.
References
Configurations
History
30 Oct 2024, 18:23
Type | Values Removed | Values Added |
---|---|---|
First Time |
Filemanagerpro
Filemanagerpro file Manager |
|
CPE | cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:*:wordpress:*:* | |
References | () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=1942390%40wp-file-manager&new=1942390%40wp-file-manager&sfp_email=&sfph_mail= - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/a56d5a2f-ae13-4523-bc4a-17bb2fb4c6f0?source=cve - Third Party Advisory |
16 Oct 2024, 16:38
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
16 Oct 2024, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-16 07:15
Updated : 2024-10-30 18:23
NVD link : CVE-2018-25105
Mitre link : CVE-2018-25105
CVE.ORG link : CVE-2018-25105
JSON object : View
Products Affected
filemanagerpro
- file_manager
CWE
CWE-862
Missing Authorization