CVE-2020-25213

Name of the Vulnerable Software and Affected Versions wp-file-manager plugin versions prior to 6.9

Description The issue allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. The issue was exploited in the wild in August and September 2020. Approximately 42% of users who installed the plugin were still vulnerable to this attack at the time of a post about it.

Recommendations For versions prior to 6.9, update the wp-file-manager plugin to version 6.9 or later to resolve the issue. As a temporary workaround, consider disabling the elFinder upload functionality until a patch is available. Restrict access to the wp-content/plugins/wp-file-manager/lib/files/ directory to minimize the risk of exploitation. Avoid using the elFinder connector file with the .php extension in the affected plugin until the issue is resolved.