File Manager Pro vulnerabilities

CVE-2025-0818 [MEDIUM] CWE-22 CVE-2025-0818: Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Trave Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.

CVE-2024-8507 [HIGH] CWE-352 CVE-2024-8507: The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all version The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. This is due to missing or incorrect nonce validation on the 'mk_file_folder_manager' ajax action. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a s

CVE-2024-8746 [HIGH] CWE-434 CVE-2024-8746: The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploa The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in all versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers, if granted access to the File Manager by an administrator, to

CVE-2024-8918 [MEDIUM] CWE-434 CVE-2024-8918: The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all ver The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, to upload .css and .js files, which could lead to Stored

CVE-2024-7559 [HIGH] CWE-94 CVE-2024-7559: The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affe

CVE-2023-6825 [CRITICAL] CWE-23 CVE-2023-6825: The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files

CVE-2023-7015 [MEDIUM] CWE-79 CVE-2023-7015: The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 't The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick

CVE-2023-6846 [HIGH] CWE-94 CVE-2023-6846: The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute code on the server. Version 8.3.5 introduces a capability check that prevents us