A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress File Manager Pro Plugin. This vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication.
This vulnerability was discovered and responsibly reported by Dmitrii Ignatyev.
The vulnerability is a CSRF vulnerability that occurs in the filemanager-pro.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to trick a higher-privileged user into performing an unwanted action.
Severity:
The vulnerability has a CVSS 3.1 score of 8.8, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a severe impact on the affected system.
Affected Versions:
The vulnerability affects all versions of the File Manager Pro Plugin prior to 1.8.
Impact:
An attacker who successfully exploits this vulnerability could:
- Force a higher privileged user to delete or modify files.
- Force a higher privileged user to install malicious plugins or themes.
- Force a higher privileged user to change the website’s configuration.
- Take any other action that the higher privileged user could do.
Recommendation:
Users of the File Manager Pro Plugin are strongly advised to update to take the following actions:
- Update Plugin: First and foremost, update the File Manager Pro Plugin to the latest available version, which is at least 1.8. This update contains the security patches to mitigate the CSRF vulnerability.
- Regular Security Audits: Conduct regular security audits of the WordPress website to identify and address vulnerabilities promptly. Utilize security plugins and tools to assist in this process.
