CVE-2023-6846

Name of the Vulnerable Software and Affected Versions File Manager Pro plugin for WordPress versions up to, and including, 8.3.4

Description The issue allows authenticated attackers, with subscriber access and above, to execute code on the server via the mk check filemanager php syntax AJAX function. This enables arbitrary file upload. The vulnerability is exploited by authenticated users with sufficient access levels, making it possible to execute server-side code.

Recommendations For versions up to, and including, 8.3.4, update to version 8.3.5 or later, which introduces a capability check that prevents users lower than admin from executing the vulnerable function. As a temporary workaround, consider restricting access to the mk check filemanager php syntax AJAX function until a patch is available.