CVE-2018-19043

Name of the Vulnerable Software and Affected Versions Media File Manager plugin version 1.4.2

Description The issue allows for arbitrary file renaming by exploiting a directory traversal vulnerability in the dir parameter of the mrelocator rename action. This can be achieved by sending a request to the wp-admin/admin-ajax.php URI, specifying a from and to filename, and utilizing a ../ directory traversal in the dir parameter.

Recommendations For Media File Manager plugin version 1.4.2, consider restricting access to the wp-admin/admin-ajax.php URI to prevent exploitation of the mrelocator rename action until a patch is available. Avoid using the dir parameter in the affected API endpoint until the issue is resolved.