Login Sign Up

CVE-2023-4827

8.8 HIGH
CSRF

📋 TL;DR

This CSRF vulnerability in the File Manager Pro WordPress plugin allows attackers to trick authenticated administrators into performing unauthorized file system operations. Attackers can upload web shells or modify files without the victim's knowledge by crafting malicious GET requests. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • File Manager Pro WordPress Plugin
Versions: All versions before 1.8
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the plugin to be installed and activated. The vulnerable fs_connector AJAX endpoint is accessible to authenticated users with appropriate privileges.

📦 What is this software?

Filester by Ninjateam

View all CVEs affecting Filester →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise via web shell upload leading to data theft, defacement, ransomware deployment, or server takeover.

🟠

Likely Case

Unauthorized file uploads leading to backdoor installation, data exfiltration, or site defacement.

🟢

If Mitigated

Limited impact if proper network segmentation, file integrity monitoring, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires only a crafted link to be clicked by an admin.
🏢 Internal Only: MEDIUM - Internal users could still be tricked via phishing or malicious internal sites, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking an authenticated admin to click a malicious link. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8 and later

Vendor Advisory: https://wpscan.com/vulnerability/d4daf0e1-8018-448a-964c-427a355e005f

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'File Manager Pro' and check if version is below 1.8. 4. Click 'Update Now' if available, or download version 1.8+ from vendor. 5. Replace plugin files if manual update required.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Add code to WordPress theme's functions.php to disable the fs_connector AJAX action

add_action('init', function() { remove_action('wp_ajax_fs_connector', 'fs_connector'); remove_action('wp_ajax_nopriv_fs_connector', 'fs_connector'); });

Deactivate plugin

linux

Temporarily disable File Manager Pro plugin until patched

wp plugin deactivate file-manager-pro

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) with frame-ancestors and form-action directives
  • Use web application firewall (WAF) rules to block requests to /wp-admin/admin-ajax.php?action=fs_connector

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → File Manager Pro version. If below 1.8, vulnerable.

Check Version:

wp plugin get file-manager-pro --field=version

Verify Fix Applied:

Confirm plugin version is 1.8 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST/GET requests to /wp-admin/admin-ajax.php with action=fs_connector from unusual IPs
  • File upload events via wp-admin/admin-ajax.php without corresponding user actions

Network Indicators:

  • GET requests to /wp-admin/admin-ajax.php?action=fs_connector with file upload parameters
  • Unusual file upload traffic to WordPress admin endpoints

SIEM Query:

source="wordpress.log" AND (url="/wp-admin/admin-ajax.php" AND parameters CONTAINS "action=fs_connector")

📊 Metadata

CVE ID: CVE-2023-4827
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: October 16, 2023
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON