A Remote Code Execution (RCE) vulnerability has been identified in the WordPress File Manager Pro Plugin. This vulnerability could allow a malicious actor to execute arbitrary commands on the target website.
This vulnerability was discovered and responsibly reported by Alex Sanford.
The vulnerability is an RCE vulnerability that occurs in the file-manager-pro.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to execute arbitrary commands on the website.
The vulnerability has a CVSS 3.1 score of 8.2, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
All versions of the File Manager Pro Plugin prior to 1.8.1 are affected by this vulnerability.
An attacker who successfully exploits this vulnerability could:
- Execute arbitrary commands on the target website.
- Gain backdoor access to the website.
- Take full control of the website.
Users of the File Manager Pro Plugin are strongly recommend the following actions:
- Immediate Update: Without delay, update the File Manager Pro Plugin to the latest available version (at least 1.8.1). This update contains the crucial security fixes to address the RCE vulnerability.
- Regular Updates: Maintain a practice of regularly updating all WordPress plugins and themes to their latest versions, as these updates often include security enhancements.
- Security Audits: Consider performing security audits on the website to proactively identify and address potential vulnerabilities.
- Backup Strategy: Implement a robust backup and recovery strategy to protect the website’s data and content.
- Security Measures: Enhance the website’s security with measures like web application firewalls (WAFs), strong authentication protocols, and routine security assessments.
This vulnerability is a serious threat to the security of WordPress websites that use the File Manager Pro Plugin. Users are strongly advised to update to the latest available version (at least 1.8.1) as soon as possible.