cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forfilester filester

Direction: ascending
Jun 07, 2024

File Manager Pro – Filester # CVE-2023-4861

CVE, Research URL

CVE-2023-4861

Date
Oct 17, 2023
Research Description
The File Manager Pro WordPress plugin before 1.8.1 allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution.
Affected versions
max 1.8.1.
Status
vulnerable

File Manager Pro – Filester # CVE-2023-4827

CVE, Research URL

CVE-2023-4827

Date
Oct 16, 2023
Research Description
The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.
Affected versions
max 1.8.
Status
vulnerable

File Manager Pro – Filester # CVE-2023-4862

CVE, Research URL

CVE-2023-4862

Date
Oct 17, 2023
Research Description
The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users.
Affected versions
max 1.8.1.
Status
vulnerable
Aug 04, 2024

File Manager Pro – Filester # CVE-2024-7031

CVE, Research URL

CVE-2024-7031

Date
Aug 03, 2024
Research Description
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role that has been granted permissions by an Administrator, to update the plugin settings for user role restrictions, including allowing file types such as .php to be uploaded.
Affected versions
max 1.8.3.
Status
vulnerable
Nov 28, 2024

File Manager Pro – Filester # CVE-2024-9669

CVE, Research URL

CVE-2024-9669

Date
Nov 28, 2024
Research Description
The File Manager Pro – Filester plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 1.8.5 via the 'fm_locale' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The vulnerability was partially patched in version 1.8.5.
Affected versions
max 1.8.6.
Status
vulnerable

File Manager Pro – Filester # CVE-2024-8066

CVE, Research URL

CVE-2024-8066

Date
Nov 28, 2024
Research Description
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions
max 1.8.5.
Status
vulnerable
Dec 20, 2024

File Manager Pro – Filester # CVE-2024-12331

CVE, Research URL

CVE-2024-12331

Date
Dec 19, 2024
Research Description
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin.
Affected versions
max 1.8.7.
Status
vulnerable
Jun 14, 2025

File Manager Pro – Filester # CVE-2025-3234

CVE, Research URL

CVE-2025-3234

Date
Jun 14, 2025
Research Description
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites.
Affected versions
max 1.8.9.
Status
vulnerable
Jul 03, 2025

File Manager Pro – Filester # CVE-2025-52710

CVE, Research URL

CVE-2025-52710

Date
Jun 20, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ninja Team File Manager Pro filester allows Stored XSS.This issue affects File Manager Pro: from n/a through <= 1.8.8.
Affected versions
max 1.8.9.
Status
vulnerable
Mar 30, 2026

File Manager Pro &#8211; Filester # PSC-2026-64638

PSC, Research URL

PSC-2026-64638

Date
Mar 30, 2026
Research Description
File manager plugins are security-relevant by design because they provide direct filesystem access from wp-admin, including upload, download, edit, delete, and archive operations that normally require FTP or hosting panel access. If access control, request integrity, or path handling is weak, these features can become a shortcut to data exposure, site defacement, or availability impact. File Manager Pro – Filester version 2.0.2 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64638, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for WordPress file management tools.
Affected versions
Min 2.1.1, max 2.1.1.
Status
SAFE & CERTIFIED
Jun 16, 2026

File Manager Pro &#8211; Filester # c75dcf646123b7d7e3550e270e069e21b7a51e3f

Date
Aug 12, 2025
Research Description
File Manager Pro &#8211; Filester [filester] < 1.9 Multiple elFinder Plugins <= (Various Versions) - Directory Traversal to Arbitrary File Deletion Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.
Affected versions
max 1.9.
Status
vulnerable
Jul 08, 2026

File Manager Pro &#8211; Filester # CVE-2026-6382

CVE, Research URL

CVE-2026-6382

Date
Jul 06, 2026
Research Description
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
Affected versions
max 2.1.1.
Status
vulnerable