CVE-2023-6825
📋 TL;DR
This vulnerability in File Manager and File Manager Pro WordPress plugins allows directory traversal attacks via the target parameter. Attackers can read arbitrary files containing sensitive information and upload files to unintended directories. The free version requires Administrator access, while the Pro version can be exploited by lower-level users if granted file handling privileges.
💻 Affected Systems
- File Manager WordPress Plugin
- File Manager Pro WordPress Plugin
📦 What is this software?
File Manager by Mndpsingh287
File Manager by Mndpsingh287
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via reading sensitive files (configurations, credentials) and uploading malicious files leading to remote code execution.
Likely Case
Sensitive data exposure (database credentials, configuration files) and unauthorized file uploads to restricted directories.
If Mitigated
Limited impact if proper access controls and file permissions are enforced, though directory traversal would still be possible.
🎯 Exploit Status
Exploitation requires authenticated access (Administrator for free version, potentially lower-level users for Pro). Public proof-of-concept exists in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Free version 7.2.2+, Pro version 8.3.5+
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'File Manager' or 'File Manager Pro'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugins
allTemporarily disable File Manager and File Manager Pro plugins until patched.
wp plugin deactivate wp-file-manager
wp plugin deactivate wp-file-manager-pro
Restrict user privileges
allFor Pro version, remove file handling privileges from non-admin users.
🧯 If You Can't Patch
- Implement strict file permission controls on server directories.
- Use web application firewall (WAF) rules to block directory traversal patterns in requests.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for File Manager version <=7.2.1 or File Manager Pro version <=8.3.4.Check Version:
wp plugin list --name=file-manager --field=versionVerify Fix Applied:
Confirm plugin versions are updated to File Manager 7.2.2+ or File Manager Pro 8.3.5+ in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' or directory traversal patterns to wp-admin/admin-ajax.php with action=mk_file_folder_manager_action_callback_shortcode
- Unusual file read operations in web server logs
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with target parameter containing path traversal sequences
SIEM Query:
source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND (param="target" AND value="*../*")🔗 References
- https://github.com/Studio-42/elFinder/blob/master/php/elFinderVolumeDriver.class.php#L6784
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3023403%40wp-file-manager%2Ftrunk&old=2984933%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/93f377a1-2c33-4dd7-8fd6-190d9148e804?source=cve
- https://github.com/Studio-42/elFinder/blob/master/php/elFinderVolumeDriver.class.php#L6784
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3023403%40wp-file-manager%2Ftrunk&old=2984933%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/93f377a1-2c33-4dd7-8fd6-190d9148e804?source=cve
