Skip to main content

File Manager Pro

3 CVEs product

Monthly

CVE-2026-6382 CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP Fileorganizer Advanced File Manager +2
NVD WPScan VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-7559 HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE File Manager Pro
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-7015 MEDIUM PATCH This Month

The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress File Manager Pro
NVD
CVSS 3.1
6.1
EPSS
1.3%
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP +4
NVD WPScan VulDB
EPSS 1% CVSS 8.8
HIGH This Week

The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection WordPress RCE +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress File Manager Pro
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy