10
CVE-2020-25213
- EPSS 94.4%
- Veröffentlicht 09.09.2020 16:15:12
- Zuletzt bearbeitet 07.11.2025 22:01:59
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginFile Manager <= 6.8 - Arbitrary File Upload/Remote Code Execution
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
Mögliche Gegenmaßnahme
File Manager: Update to version 6.9, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
File Manager
Version
*-6.8
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Filemanagerpro ≫ File Manager SwEditionfree SwPlatformwordpress Version < 6.9
03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog
WordPress File Manager Plugin Remote Code Execution Vulnerability
SchwachstelleWordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.4% | 1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| cve@mitre.org | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.