Webdesi9 File Manager
By the Year
In 2024 there have been 1 vulnerability in Webdesi9 File Manager with an average score of 7.5 out of ten. File Manager did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2024 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 1 | 7.50 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 5.40 |
| 2020 | 2 | 8.65 |
| 2019 | 2 | 7.45 |
| 2018 | 1 | 5.40 |
It may take a day or so for new File Manager vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Webdesi9 File Manager Security Vulnerabilities
The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames
CVE-2024-0761
7.5 - High
- February 05, 2024
The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where the .htaccess file in the directory does not block access.
Use of Insufficiently Random Values
In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS
CVE-2021-24177
5.4 - Medium
- April 05, 2021
In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response.
XSS
The File Manager (wp-file-manager) plugin before 6.9 for WordPress
CVE-2020-25213
9.8 - Critical
- September 09, 2020
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
Unrestricted File Upload
mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file
CVE-2020-24312
7.5 - High
- August 26, 2020
mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.
Files or Directories Accessible to External Parties
There is an XSS vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress
CVE-2018-16967
6.1 - Medium
- April 15, 2019
There is an XSS vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter.
XSS
There is a CSRF vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress
CVE-2018-16966
8.8 - High
- April 15, 2019
There is a CSRF vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter.
Session Riding
The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request
CVE-2018-16363
5.4 - Medium
- September 07, 2018
The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Webdesi9 File Manager or by Webdesi9? Click the Watch button to subscribe.
