Vulnerabilities and security researches forfile-manager file-manager
Direction: ascendingFile Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2023-5907
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Dec 12, 2023
- Research Description
- The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files.
- Affected versions
-
max 6.3.
- Status
-
vulnerable
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2018-7204
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Mar 08, 2018
- Research Description
- inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites.
- Affected versions
-
max 5.0.2.
- Status
-
vulnerable
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2022-0403
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Apr 04, 2022
- Research Description
- The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.
- Affected versions
-
max 4.9.
- Status
-
vulnerable
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2021-32682
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Jun 14, 2021
- Research Description
- elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
- Affected versions
-
max 5.2.3.
- Status
-
vulnerable
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2022-47599
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Dec 20, 2023
- Research Description
- Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.This issue affects File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager: from n/a through 5.2.7.
- Affected versions
-
max 6.0.
- Status
-
vulnerable
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2024-7627
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Sep 05, 2024
- Research Description
- The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions.
- Affected versions
-
Min 6.0, max 6.5.5.
- Status
-
vulnerable
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2024-7770
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Sep 10, 2024
- Research Description
- The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 6.5.6.
- Status
-
vulnerable
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2024-8743
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Oct 05, 2024
- Research Description
- The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.
- Affected versions
-
max 6.5.8.
- Status
-
vulnerable
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager # CVE-2025-1725
- CVE, Research URL
- Home page URL
- Application
-
File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager
- Date
- Jun 03, 2025
- Research Description
- The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
- Affected versions
-
max 6.8.
- Status
-
vulnerable