CVE-2025-0818
📋 TL;DR
This CVE describes a directory traversal vulnerability in elFinder versions 2.1.64 and prior when used in WordPress plugins. Unauthenticated attackers can delete arbitrary files if a site owner has explicitly made the file manager available to users. WordPress sites using vulnerable elFinder-based plugins are affected.
💻 Affected Systems
- WordPress plugins using elFinder library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through deletion of critical WordPress files (wp-config.php, .htaccess), leading to site defacement, data loss, or privilege escalation.
Likely Case
Selective file deletion causing site functionality disruption, content removal, or configuration corruption requiring restoration from backups.
If Mitigated
No impact if file manager is not exposed to users or proper access controls are implemented.
🎯 Exploit Status
Exploitation requires the file manager to be accessible to users, which is not the default configuration
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: elFinder 2.1.65+
Vendor Advisory: https://github.com/Studio-42/elFinder
Restart Required: No
Instructions:
1. Update all WordPress plugins using elFinder to versions containing elFinder 2.1.65 or later. 2. Check plugin changelogs for security updates. 3. Update plugins via WordPress admin panel or manually replace elFinder files.
🔧 Temporary Workarounds
Disable user-accessible file manager
allRemove or restrict access to the file manager interface from user-facing areas of the site
Implement file access controls
allAdd authentication and authorization checks before allowing file operations
🧯 If You Can't Patch
- Disable or remove vulnerable plugins entirely
- Implement web application firewall rules to block directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin directories for elFinder.class.php files and examine version information in file headers or changelogsCheck Version:
grep -r 'elFinder' /path/to/wordpress/wp-content/plugins/ | grep -i versionVerify Fix Applied:
Confirm elFinder version is 2.1.65 or later by checking file headers or plugin documentation📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion requests
- Directory traversal patterns in URLs (../ sequences)
- Requests to file manager endpoints from unauthenticated users
Network Indicators:
- HTTP requests containing '../' patterns to file manager endpoints
- DELETE or POST requests to file operations endpoints
SIEM Query:
source="web_logs" AND (uri="*../*" OR method="DELETE") AND uri="*elfinder*"🔗 References
- https://github.com/Studio-42/elFinder
- https://github.com/Studio-42/elFinder/blob/master/php/elFinder.class.php#L5367
- https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/library/php/elFinder.class.php#L5411
- https://plugins.trac.wordpress.org/browser/filester/trunk/includes/File_manager/lib/php/elFinder.class.php#L5378
- https://plugins.trac.wordpress.org/browser/wp-file-manager/trunk/lib/php/elFinder.class.php
- https://plugins.trac.wordpress.org/changeset/3319016/filester
- https://plugins.trac.wordpress.org/changeset/3335715/file-manager-advanced/trunk/application/library/php/elFinder.class.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c2a166de-3bdf-4883-91ba-655f2757c53b?source=cve
