CVE-2018-25105

Name of the Vulnerable Software and Affected Versions File Manager plugin for WordPress versions up to, and including, 3.0

Description The issue is related to a missing capability check in the /inc/root.php file, which allows unauthenticated attackers to bypass authorization. This enables them to download arbitrary files from the server and upload arbitrary files that can be used for remote code execution. The API endpoint /inc/root.php is affected.

Recommendations For versions up to, and including, 3.0, update to a version that includes a fix for the missing capability check in the /inc/root.php file to prevent authorization bypass and potential remote code execution. As a temporary workaround, consider restricting access to the /inc/root.php file to minimize the risk of exploitation.