CVE-2018-25105: File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download
First published: Wed Oct 16 2024(Updated: )
The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and upload arbitrary files that can be used for remote code execution.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Filemanagerpro File Manager Wordpress | <=3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/title
- agent/references
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/severity
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- vendor/filemanagerpro
- canonical/filemanagerpro file manager wordpress
- version/filemanagerpro file manager wordpress/3.0