CVE-2018-25105 – The File Manager WordPress plugin versions up t... (How to Fix)

Q: What is the severity of CVE-2018-25105?

CVE-2018-25105 has a CVSS score of 9.8 (CRITICAL). The File Manager WordPress plugin versions up to 3.0 contain an authorization bypass vulnerability that allows unauthenticated attackers to download and upload arbitrary files. This can lead to remote code execution by uploading malicious files like PHP shells. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

The File Manager WordPress plugin versions up to 3.0 contain an authorization bypass vulnerability that allows unauthenticated attackers to download and upload arbitrary files. This can lead to remote code execution by uploading malicious files like PHP shells. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WordPress File Manager plugin

Versions: All versions up to and including 3.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the File Manager plugin installed and activated.

📦 What is this software?

File Manager by Filemanagerpro

View all CVEs affecting File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through remote code execution, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Attackers upload web shells to gain administrative access, deface websites, or install malware.

🟢

If Mitigated

Limited impact if file uploads are restricted at web server level or plugin is behind authentication.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows direct attack from internet without credentials.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit but require network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests to vulnerable endpoints can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.1 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=1942390%40wp-file-manager&new=1942390%40wp-file-manager&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'File Manager' plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete plugin, then install fresh version 3.0.1+ from WordPress repository.

🔧 Temporary Workarounds

Disable File Manager plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate wp-file-manager

Restrict access via .htaccess

linux

Block access to vulnerable plugin directory at web server level.

<FilesMatch "\.(php|php5|php7|phtml)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>
<Directory "/wp-content/plugins/wp-file-manager/">
    Order Deny,Allow
    Deny from all
</Directory>

🧯 If You Can't Patch

Remove the File Manager plugin completely from the WordPress installation
Implement web application firewall rules to block requests to /wp-content/plugins/wp-file-manager/inc/root.php

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → File Manager version. If version is 3.0 or lower, you are vulnerable.

Check Version:

wp plugin get wp-file-manager --field=version

Verify Fix Applied:

Confirm File Manager plugin version is 3.0.1 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /wp-content/plugins/wp-file-manager/inc/root.php with POST parameters
Unusual file uploads to wp-content/uploads directory
Multiple failed authentication attempts followed by successful file operations

Network Indicators:

POST requests to root.php endpoint without authentication cookies
Unusual file downloads/uploads to plugin directory

SIEM Query:

source="web_logs" AND (uri="/wp-content/plugins/wp-file-manager/inc/root.php" OR user_agent CONTAINS "File Manager exploit")

📊 Metadata

CVE ID: CVE-2018-25105

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: October 16, 2024

Last Updated: October 30, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-25105, you might also want to check these: