CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0761 – File Manager <= 7.2.1 - Sensitive Information Exposure via Backup Filenames
https://notcve.org/view.php?id=CVE-2024-0761
22 Jan 2024 — The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where the .htaccess file in the directory does not block access. El complemento File Manager para WordPress es vulnerable a la exposición de información confiden... • https://plugins.trac.wordpress.org/changeset/3023403/wp-file-manager/trunk/file_folder_manager.php?old=2984933&old_path=wp-file-manager%2Ftrunk%2Ffile_folder_manager.php • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24177 – WP File Manager < 7.1 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24177
26 Feb 2021 — In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response. En la configuración predeterminada del plugin de WordPress File Manager versiones anteriores a 7.1, un ataque de tipo XSS reflejado puede ocurrir en el endpoint /wp-admin/admin.php?page=wp_file_manager_properties cu... • https://n4nj0.github.io/advisories/wordpress-plugin-wp-file-manager-i • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 17CVE-2020-25213 – WordPress File Manager Plugin Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-25213
01 Sep 2020 — The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. El complemento File Manager (wp-file-manager) versiones... • https://packetstorm.news/files/id/171650 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 45%CPEs: 1EXPL: 1CVE-2020-24312 – WP File Manager <= 6.4 - Unauthenticated Resource Access to Site Backups
https://notcve.org/view.php?id=CVE-2020-24312
13 Aug 2020 — mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken. mndpsingh287 WP File Manager versiones v6.4 y anteriores, no restringen el acceso externo al directorio fm_backups con un archivo .htaccess. Esto resulta en la posibilidad para unos usuarios no autenticados de exam... • https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16967 – File Manager <= 3.0 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-16967
17 Sep 2018 — There is an XSS vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. El plugin mndpsingh287 File Manager para WordPress es vulnerable a un Cross-site scripting (XSS) a través del parametro page=wp_file_manager_root public_path. There is an XSS vulnerability in the File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. • https://ansawaf.blogspot.com/2019/04/file-manager-plugin-wordpress-plugin.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16966 – File Manager <= 3.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-16966
17 Sep 2018 — There is a CSRF vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. El plugin mndpsingh287 File Manager para WordPress es vulnerable a un Cross-site request forgery (CSRF) a través del parametro page=wp_file_manager_root public_path. There is a CSRF vulnerability in the File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. • https://ansawaf.blogspot.com/2019/04/file-manager-plugin-wordpress-plugin.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16363 – File Manager <= 2.9 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-16363
06 Sep 2018 — The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php. El plugin mndpsingh287 File Manager V2.9 para WordPress tiene Cross-Site Scripting (XSS) mediante el parámetro lang en una petición wp-admin/admin.php?page=wp_file_manager debido a que se emplea set_transient en file_folder_manager.php y hay un eco de lang en ... • http://blog.51cto.com/010bjsoft/2171087 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2017-17744 – Custom Map <= 1.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17744
19 Dec 2017 — A cross-site scripting (XSS) vulnerability in the custom-map plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_id parameter to view/advancedsettings.php. Una vulnerabilidad de Cross-Site Scripting (XSS) en el plugin custom-map hasta la versión 1.1 para WordPress permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el parámetro map_id en view/advancedsettings.php. WordPress Custom Map plugin version 1.1 suffers from a cross s... • https://packetstorm.news/files/id/145505 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •