CVE-2024-2654 — Path Traversal: '.../...//' in File Manager

CWE-35 — Path Traversal: '.../...//'CWE-22 — Path Traversal4 documents4 sources

Severity

6.8MEDIUMNVD

OSV5.5

EPSS

1.9%

top 16.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Filemanagerpro File Manager Cimg Mndpsingh287 File Manager

Timeline

PublishedApr 9

Latest updateApr 15

Description

The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary zip files on the server, which can contain sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:NExploitability: 2.3 | Impact: 4.0

Affected Packages3 packages

▶NVDfilemanagerpro/file_manager< 7.2.6

▶CVEListV5mndpsingh287/file_manager7.2.5

▶Ubuntucimg/cimg< 1.7.9+dfsg-2ubuntu0.18.04.2+esm1+2

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

OSV

cimg vulnerabilities↗2025-04-15

▶

CVEList

File Manager <= 7.2.5 - Authenticated (Administrator+) Directory Traversal↗2024-04-09

▶

GHSA

GHSA-fvm8-pgm7-cg8j: The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7↗2024-04-09

▶