Skip to main content

File Manager

20 CVEs product

Monthly

CVE-2026-6382 CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP Fileorganizer Advanced File Manager +2
NVD WPScan VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2025-63678 HIGH POC This Month

An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP RCE File Manager
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2024-8918 MEDIUM This Month

The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS File Upload File Manager
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-8746 HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload File Manager
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-8507 HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Manager
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-7770 HIGH PATCH This Week

The Bit File Manager - 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload File Manager
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-7627 HIGH PATCH This Week

The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE File Manager
NVD
CVSS 3.1
8.1
EPSS
2.8%
CVE-2024-2654 MEDIUM PATCH This Month

The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

WordPress Path Traversal File Manager
NVD
CVSS 3.1
6.8
EPSS
1.9%
CVE-2024-1538 HIGH PATCH This Week

The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF File Manager
NVD
CVSS 3.1
8.8
EPSS
4.5%
CVE-2023-6825 CRITICAL POC PATCH Act Now

The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress Path Traversal File Manager
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
3.7%
CVE-2024-0761 HIGH PATCH This Week

The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

WordPress Information Disclosure File Manager
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2023-6846 HIGH POC THREAT Act Now

Remote code execution in the WordPress File Manager Pro plugin (versions up to and including 8.3.4) allows authenticated attackers with subscriber-level access to upload arbitrary files via the mk_check_filemanager_php_syntax AJAX endpoint, leading to full server compromise. Publicly available exploit code exists, and the high EPSS score of 13.31% (94th percentile) indicates significant real-world exploitation likelihood. The flaw is patched in version 8.3.5, which introduces a missing capability check.

Code Injection RCE WordPress File Upload File Manager
NVD GitHub
CVSS 3.1
8.8
EPSS
13.3%
CVE-2022-47599 MEDIUM This Month

Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager - 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.2.7. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization WordPress File Manager
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2023-5907 MEDIUM POC This Month

The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure WordPress File Manager
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-24177 MEDIUM POC PATCH This Month

In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP File Manager
NVD WPScan
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-20651 CRITICAL Act Now

Directory traversal vulnerability in ELECOM File Manager all versions allows remote attackers to create an arbitrary file or overwrite an existing file in a directory which can be accessed with the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal File Manager
NVD
CVSS 3.1
9.1
EPSS
1.9%
CVE-2020-25213 CRITICAL POC KEV PATCH THREAT Act Now

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload WordPress PHP File Manager
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
97.3%
CVE-2020-24312 HIGH POC THREAT This Week

mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure File Manager
NVD
CVSS 3.1
7.5
EPSS
15.9%
CVE-2018-16363 MEDIUM POC PATCH This Month

The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP File Manager
NVD
CVSS 3.0
5.4
EPSS
1.4%
CVE-2018-7204 HIGH PATCH This Week

inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Google WordPress Information Disclosure PHP File Manager
NVD
CVSS 3.0
7.5
EPSS
2.9%
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP +4
NVD WPScan VulDB
EPSS 0% CVSS 7.2
HIGH POC This Month

An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP RCE +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS File Upload +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress File Upload +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF File Manager
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Bit File Manager - 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload +1
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection WordPress RCE +1
NVD
EPSS 2% CVSS 6.8
MEDIUM PATCH This Month

The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity.

WordPress Path Traversal File Manager
NVD
EPSS 4% CVSS 8.8
HIGH PATCH This Week

The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF File Manager
NVD
EPSS 4% CVSS 9.9
CRITICAL POC PATCH Act Now

The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress Path Traversal File Manager
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

WordPress Information Disclosure File Manager
NVD
EPSS 13% CVSS 8.8
HIGH POC THREAT Act Now

Remote code execution in the WordPress File Manager Pro plugin (versions up to and including 8.3.4) allows authenticated attackers with subscriber-level access to upload arbitrary files via the mk_check_filemanager_php_syntax AJAX endpoint, leading to full server compromise. Publicly available exploit code exists, and the high EPSS score of 13.31% (94th percentile) indicates significant real-world exploitation likelihood. The flaw is patched in version 8.3.5, which introduces a missing capability check.

Code Injection RCE WordPress +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager - 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.2.7. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization WordPress File Manager
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure WordPress +1
NVD WPScan
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP +1
NVD WPScan
EPSS 2% CVSS 9.1
CRITICAL Act Now

Directory traversal vulnerability in ELECOM File Manager all versions allows remote attackers to create an arbitrary file or overwrite an existing file in a directory which can be accessed with the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal File Manager
NVD
EPSS 97% CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload WordPress PHP +1
NVD GitHub Exploit-DB
EPSS 16% CVSS 7.5
HIGH POC THREAT This Week

mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure File Manager
NVD
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Google WordPress Information Disclosure +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy