A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress File Manager Pro Plugin. This vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication.

This vulnerability was discovered and responsibly reported by Dmitrii Ignatyev.

The vulnerability is a CSRF vulnerability that occurs in the filemanager-pro.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to trick a higher-privileged user into performing an unwanted action.


The vulnerability has a CVSS 3.1 score of 8.8, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a severe impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the File Manager Pro Plugin prior to 1.8.


An attacker who successfully exploits this vulnerability could:

  • Force a higher privileged user to delete or modify files.
  • Force a higher privileged user to install malicious plugins or themes.
  • Force a higher privileged user to change the website’s configuration.
  • Take any other action that the higher privileged user could do.


Users of the File Manager Pro Plugin are strongly advised to update to take the following actions:

  • Update Plugin: First and foremost, update the File Manager Pro Plugin to the latest available version, which is at least 1.8. This update contains the security patches to mitigate the CSRF vulnerability.
  • Regular Security Audits: Conduct regular security audits of the WordPress website to identify and address vulnerabilities promptly. Utilize security plugins and tools to assist in this process.