CVE-2020-25213

WordPress File Manager Plugin Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

El complemento File Manager (wp-file-manager) versiones anteriores a 6.9 para WordPress, permite a atacantes remotos cargar y ejecutar código PHP arbitrario porque cambia el nombre de un archivo de conector elFinder de ejemplo no seguro para que tenga la extensión .php. Esto, por ejemplo, permite a atacantes ejecutar el comando elFinder upload (o mkfile y put) para escribir código PHP en el directorio wp-content/plugins/wp-file-manager/lib/files/. Esto fue explotado "in the wild" en agosto y Septiembre de 2020.

The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.

WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-09-01 CVE Published
2020-09-09 CVE Reserved
2020-10-12 First Exploit
2021-11-03 Exploited in Wild
2022-05-03 KEV Due Date
2024-08-04 CVE Updated
2024-11-04 EPSS Updated

CWE

CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (19)

URL	Tag	Source
http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html
https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html	Third Party Advisory
https://wordpress.org/plugins/wp-file-manager/#developers	Product
https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug	Media Coverage

URL	Date	SRC
https://www.exploit-db.com/exploits/49178	2020-12-02
https://www.exploit-db.com/exploits/51224	2023-04-03
https://github.com/mansoorr123/wp-file-manager-CVE-2020-25213	2020-10-12
https://github.com/BLY-Coder/Python-exploit-CVE-2020-25213	2023-03-13
https://github.com/b1ackros337/CVE-2020-25213	2022-07-09
https://github.com/piruprohacking/CVE-2020-25213	2021-04-03
https://github.com/Nguyen-id/CVE-2020-25213	2023-12-06
https://github.com/0000000O0Oo/Wordpress-CVE-2020-25213	2021-03-13
https://github.com/forse01/CVE-2020-25213-Wordpress	2021-03-05
https://github.com/E1tex/Python-CVE-2020-25213	2023-08-02
http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html	2024-08-04
https://github.com/w4fz5uck5/wp-file-manager-0day	2024-08-04
https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager	2024-08-04
https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin	2024-08-04

URL	Date	SRC
https://plugins.trac.wordpress.org/changeset/2373068	2023-04-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Webdesi9 Search vendor "Webdesi9"		File Manager Search vendor "Webdesi9" for product "File Manager"				< 6.9 Search vendor "Webdesi9" for product "File Manager" and version " < 6.9"		wordpress		Affected