Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-24312Files or Directories Accessible to External Parties in File Manager

CWE-552Files or Directories Accessible to External PartiesCWE-200Sensitive Information Exposure4 documents4 sources
Severity
7.5HIGHNVD
EPSS
51.6%
top 2.10%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Filemanagerpro File Manager
Timeline
PublishedAug 26
Latest updateMay 24

Description

mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-2652-63hr-2gvh: mndpsingh287 WP File Manager v62022-05-24
CVEList
CVE-2020-24312: mndpsingh287 WP File Manager v62020-08-26

💥Exploits & PoCs

1
Nuclei
WordPress Plugin File Manager (wp-file-manager) Backup Disclosure
CVE-2020-24312 — File Manager vulnerability | cvebase