CVE-2018-7204

Name of the Vulnerable Software and Affected Versions Giribaz File Manager plugin versions prior to 5.0.2

Description The issue allows sensitive information to be logged in an unprotected file. When a user edits the wp-config.php file using the plugin, its contents, including database credentials and salts, are added to the log file /wp-content/uploads/file-manager/log.txt. This log file is not protected and has been indexed by Google, making it possible to find affected sites using a simple search query.

Recommendations For Giribaz File Manager plugin versions prior to 5.0.2, update to version 5.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /wp-content/uploads/file-manager/log.txt file to minimize the risk of exploitation. Additionally, restrict access to the wp-config.php file when using the plugin to edit it, and avoid using the plugin for this purpose until the issue is resolved.