cbcvebase.
CVE-2023-6825
published 2024-03-13

CVE-2023-6825: The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version)…

PriorityP272critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
6.01%
92.4th percentile
The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files on the server, which can contain sensitive information and to upload files into directories other than the intended directory for file uploads. The free version requires Administrator access for this vulnerability to be exploitable. The Pro version allows a file manager to be embedded via a shortcode and also allows admins to grant file handling privileges to other user levels, which could lead to this vulnerability being exploited by lower-level users.

Affected

3 ranges
VendorProductVersion rangeFixed in
file_managerfile_manager_pro<= 8.3.4
mndpsingh287file_manager<= 7.2.1
mndpsingh287file_manager<= 8.3.4

Detection & IOCsextracted from sources · hover to see the quote

otherdigest: 4a0a00473045022003cfac08119cddd30273a9df170a80011bd7aad57a2b49eda7acbf6bdcc85403022100b4a66922eb9bf5ed7e689355c94740581de7d84beb95e36982f5e2fdfc7e327c:922c64590222798bb761d5b6d8e72950
yara
regex: ']*value="([a-f0-9]+)"'
yara
regex: '"nonce"\s*:\s*"([a-f0-9]+)"'
  • Exploit targets the `target` parameter in the `mk_file_folder_manager_action_callback_shortcode` function — monitor HTTP requests containing directory traversal sequences (e.g., `../`) in the `target` parameter directed at WordPress File Manager / File Manager Pro endpoints.
  • Detection template checks for HTTP 200 response AND presence of `root:.*:0:0:` in the response body — indicating successful /etc/passwd read via directory traversal; use this regex pattern to detect successful exploitation in web server logs or proxied responses.
  • The exploit flow extracts a WordPress nonce value matching `[a-f0-9]+` from the page body before performing the traversal — monitor for automated nonce-harvesting requests to File Manager shortcode pages followed immediately by file-read or upload requests.
  • The Pro version allows the file manager to be embedded via shortcode and grants file-handling privileges to lower-level users — audit WordPress user roles for unexpected file-manager permissions, especially non-admin roles.
  • ·Free version (≤7.2.1) requires Administrator-level access for exploitation; Pro version (≤8.3.4) may be exploitable by lower-privileged users if admins have granted file-handling permissions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.