CVE-2020-25213

CVSS 10 CRITICALEPSS 97.3%● KEVCWE-434

In short

The File Manager plugin for WordPress allows attackers to upload and execute malicious PHP code on the website. An unsafe configuration file was renamed to enable this attack, giving attackers full control over the server.

Technical detail

The plugin's elFinder connector file is insecurely configured, allowing remote attackers to exploit the upload, mkfile, and put commands to write arbitrary PHP files to wp-content/plugins/wp-file-manager/lib/files/. No authentication is required, and successful exploitation grants remote code execution with web server privileges.

Summary generated and translated by AI from the official description.

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N

Affected products

n/a · n/a

public PoCs found — 14

githubgithub.com/mansoorr123/wp-file-manager-CVE-2020-25213★ 58 githubgithub.com/BLY-Coder/Python-exploit-CVE-2020-25213★ 6 githubgithub.com/E1tex/Python-CVE-2020-25213★ 3 githubgithub.com/kakamband/WPKiller★ 1 githubgithub.com/Cmadhushanka/wordpress-rce-vapt-cve-2020-25213★ 0 githubgithub.com/0000000O0Oo/Wordpress-CVE-2020-25213★ 0 githubgithub.com/piruprohacking/CVE-2020-25213★ 0 githubgithub.com/b1ackros337/CVE-2020-25213★ 0 githubgithub.com/KienHoSD/wp-file-manager-exploit-CVE-2020-25213-with-Zerologon★ 0 githubgithub.com/forse01/CVE-2020-25213-Wordpress★ 0 cve_referencepacketstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.htmlunverified cve_referencepacketstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.htmlunverified exploitdbwww.exploit-db.com/exploits/51224unverified exploitdbwww.exploit-db.com/exploits/49178unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html https://github.com/w4fz5uck5/wp-file-manager-0day https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html https://plugins.trac.wordpress.org/changeset/2373068 https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/https://wordpress.org/plugins/wp-file-manager/#developers https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25213 https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/