CVE-2020-25213 Scanner
CVE-2020-25213 scanner - Unrestricted File Upload vulnerability in File Manager plugin for WordPress
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
30 seconds
Time Interval
4 weeks
Scan only one
URL
Toolbox
-
The File Manager plugin for WordPress is a popular tool used for managing files and directories on a website. It is designed to make file management easier and more efficient for website owners and administrators. With it, users can upload, delete, and modify files on their WordPress site directly from the admin dashboard. This plugin is highly regarded for its user-friendliness, versatility, and convenience.
Recently, however, a security flaw was detected in the plugin. The CVE-2020-25213 vulnerability allows remote attackers to execute arbitrary PHP code by exploiting the plugin's unsafe example elFinder connector file. Simply put, attackers can upload malicious software to the wp-content/plugins/wp-file-manager/lib/files/ directory via the elFinder command and potentially take control of the website in question.
If the vulnerability is exploited, attackers can gain access to sensitive data, modify website content, install and execute malware, and disrupt legitimate website functions. The consequences can be catastrophic, particularly for businesses that rely heavily on their website for revenue and customer engagement. Once a website is compromised, it can lose credibility, customers, and revenue in a matter of days.
Thanks to the pro features of s4e.io, website owners and administrators can quickly and easily identify and mitigate security risks on their WordPress website. The platform provides comprehensive vulnerability scanning, risk reporting, and remediation solutions that can help safeguard digital assets. By investing in the right security tools, website owners can take proactive steps to protect their online assets against cyber attacks.
REFERENCES
- https://wordpress.org/plugins/wp-file-manager/#developers
- https://github.com/w4fz5uck5/wp-file-manager-0day
- https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html
- https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
- https://plugins.trac.wordpress.org/changeset/2373068
- https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/
- https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
- http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html