CVE-2018-16363

Name of the Vulnerable Software and Affected Versions mndpsingh287 File Manager plugin version 2.9

Description The issue concerns a cross-site scripting (XSS) problem. It occurs via the lang parameter in a "wp-admin/admin.php?page=wp file manager" request. This happens because set transient is used in file folder manager.php, and there is an echo of lang in libwpfilemanager.php.

Recommendations For version 2.9, consider disabling the lang parameter in the "wp-admin/admin.php?page=wp file manager" request until a patch is available. Restrict access to the libwpfilemanager.php file to minimize the risk of exploitation. Avoid using the lang parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.