// For flags

CVE-2020-24312

WP File Manager <= 6.4 - Unauthenticated Resource Access to Site Backups

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.

mndpsingh287 WP File Manager versiones v6.4 y anteriores, no restringen el acceso externo al directorio fm_backups con un archivo .htaccess. Esto resulta en la posibilidad para unos usuarios no autenticados de examinar y descargar unas copias de seguridad del sitio, que a veces incluyen copias de seguridad completas de la base de datos, que ha tomado el plugin

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-08-13 CVE Reserved
  • 2020-08-13 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • 2024-09-19 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-552: Files or Directories Accessible to External Parties
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Webdesi9
Search vendor "Webdesi9"
 File Manager
Search vendor "Webdesi9" for product "File Manager"
 <= 6.4
Search vendor "Webdesi9" for product "File Manager" and version " <= 6.4"
wordpress
Affected