cbcvebase.
CVE-2020-24312
published 2020-08-26

CVE-2020-24312: mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
16.33%
96.6th percentile
mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.

Affected

1 ranges
VendorProductVersion rangeFixed in
filemanagerprofile_manager<= 6.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/uploads/wp-file-manager-pro/fm_backup/
path/wp-content/uploads/wp-file-manager-pro/fm_backup/
  • Send an unauthenticated HTTP GET request to /wp-content/uploads/wp-file-manager-pro/fm_backup/ and check for a 200 response containing directory listing indicators.
  • A vulnerable response will contain all three strings: 'Index of', 'wp-content/uploads/wp-file-manager-pro/fm_backup', and 'backup_' in the response body, with HTTP status 200.
  • ·The vulnerability affects WP File Manager v6.4 and lower; the fm_backups directory lacks a .htaccess restriction, allowing unauthenticated directory browsing and file download.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.