CVE-2023-5907: File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal
First published: Mon Dec 11 2023(Updated: )
The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bitapps File Manager | <6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2023-5907?
CVE-2023-5907 is considered a critical vulnerability due to the potential for unauthorized access to sensitive system files.
How do I fix CVE-2023-5907?
To fix CVE-2023-5907, update the File Manager WordPress plugin to version 6.3 or later.
Who is affected by CVE-2023-5907?
CVE-2023-5907 affects users of the File Manager WordPress plugin versions prior to 6.3.
What types of attacks can exploit CVE-2023-5907?
CVE-2023-5907 can be exploited to gain unauthorized access to files outside the WordPress root directory.
Is CVE-2023-5907 a concern for multisite WordPress setups?
Yes, CVE-2023-5907 poses a particular risk in multisite WordPress setups as it allows site administrators to access system files.
- collector/nvd-api
- agent/event
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/title
- agent/weakness
- agent/author
- agent/severity
- agent/references
- collector/epss-latest
- source/FIRST
- agent/description
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/source
- vendor/bitapps
- canonical/bitapps file manager