CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4861 – File Manager Pro < 1.8.1 - Admin+ Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-4861
19 Sep 2023 — The File Manager Pro WordPress plugin before 1.8.1 allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution. El complemento File Manager Pro de WordPress anterior a 1.8.1 permite a los usuarios administradores cargar archivos arbitrarios, incluso en entornos donde dicho usuario no debería poder obtener el control total del servidor, como una instalación mul... • https://wpscan.com/vulnerability/7fa03f00-25c7-4e40-8592-bb4001ce019d • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4862 – File Manager Pro < 1.8.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-4862
19 Sep 2023 — The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users. El complemento File Manager Pro de WordPress anterior a 1.8.1 no valida ni escapa adecuadamente algunas entradas, lo que genera XSS por parte de usuarios con altos privilegios. The File Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8 due to insufficient input sanitization and ... • https://wpscan.com/vulnerability/81821bf5-69e1-4005-b3eb-d541490909cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4827 – File Manager Pro < 1.8 - Remote Code Execution via CSRF
https://notcve.org/view.php?id=CVE-2023-4827
11 Sep 2023 — The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell. El complemento File Manager Pro de WordPress anterior a la versión 1.8 no verifica correctamente el nonce de CSRF en la acción AJAX `fs_connector`. Esto permite a los atacantes hacer que usuarios con privilegios elevados realic... • https://wpscan.com/vulnerability/d4daf0e1-8018-448a-964c-427a355e005f • CWE-352: Cross-Site Request Forgery (CSRF) •