PT-2023-32413 · WordPress · File Manager
Dmitry Ignatyev
·
Published
2023-12-11
·
Updated
2023-12-13
·
CVE-2023-5907
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
File Manager WordPress plugin versions prior to 6.3
Description
The issue allows an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the site's files.
Recommendations
For versions prior to 6.3, update to version 6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the file manager's root directory to prevent administrators from setting a root outside of the WordPress root directory.
Exploit
Fix
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
File Manager