Page 3 of 16 results (0.007 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

There is an XSS vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. El plugin mndpsingh287 File Manager para WordPress es vulnerable a un Cross-site scripting (XSS) a través del parametro page=wp_file_manager_root public_path. There is an XSS vulnerability in the File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. • https://ansawaf.blogspot.com/2019/04/file-manager-plugin-wordpress-plugin.html https://wordpress.org/plugins/wp-file-manager/#developers https://wpvulndb.com/vulnerabilities/9614 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

There is a CSRF vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. El plugin mndpsingh287 File Manager para WordPress es vulnerable a un Cross-site request forgery (CSRF) a través del parametro page=wp_file_manager_root public_path. There is a CSRF vulnerability in the File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. • https://ansawaf.blogspot.com/2019/04/file-manager-plugin-wordpress-plugin.html https://wordpress.org/plugins/wp-file-manager/#developers https://wpvulndb.com/vulnerabilities/9614 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and upload arbitrary files that can be used for remote code execution. • https://www.wordfence.com/threat-intel/vulnerabilities/id/a56d5a2f-ae13-4523-bc4a-17bb2fb4c6f0?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=1942390%40wp-file-manager&new=1942390%40wp-file-manager&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php. El plugin mndpsingh287 File Manager V2.9 para WordPress tiene Cross-Site Scripting (XSS) mediante el parámetro lang en una petición wp-admin/admin.php?page=wp_file_manager debido a que se emplea set_transient en file_folder_manager.php y hay un eco de lang en lib\wpfilemanager.php. • http://blog.51cto.com/010bjsoft/2171087 https://plugins.trac.wordpress.org/changeset/1936043 https://wordpress.org/support/topic/security-concern-6/#post-10655739 https://wpvulndb.com/vulnerabilities/9126 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites. inc/logger.php en el plugin Giribaz File Manager, en versiones anteriores a la 5.0.2, para WordPress registraba la actividad relacionada con el plugin en /wp-content/uploads/file-manager/log.txt. Si un usuario edita el archivo wp-config.php empleando este plugin, el contenido de wp-config.php se añade a log.txt, que no está protegido y contiene credenciales de base de datos, sales, etc. Estos archivos han sido indexados por Google y una simple búsqueda con Dork encontrará los sitios afectados. • https://plugins.trac.wordpress.org/changeset/1823035/file-manager https://wordpress.org/plugins/file-manager/#developers https://wpvulndb.com/vulnerabilities/9036 • CWE-532: Insertion of Sensitive Information into Log File •