CVE-2020-25213 | The File Manager (wp-file-manager) plugin before 6.9 for Wor… | CVSS 10.0 CRITICAL

Description

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

Metadata

CVE ID: CVE-2020-25213
State: PUBLISHED
Assigner: mitre
Reserved: 2020-09-09 00:00 UTC
Published: 2020-09-09 00:00 UTC
Last updated: 2025-10-21 23:35 UTC
Primary CWE: CWE-434
CWE-434 Unrestricted Upload of File with Dangerous Type
Vendor / Product: n/a / n/a
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N

SSVC — CISA Coordinator

Exploitation: ACTIVE
Automatable: yes
Tech. Impact: total

CISA Known Exploited Vulnerability

Vulnerability name: WordPress File Manager Plugin Remote Code Execution Vulnerability
Vendor: WordPress
Product: File Manager Plugin
Added to KEV: 2021-11-03
Due date: 2022-05-03
Ransomware: Not known

Required action

Apply updates per vendor instructions.

CISA description

WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.

Affected products (1)

Vendor	Product	Platform	Versions
n/a	n/a	—	n/a

Weakness (CWE)

CWE	Source	Description
—	cna	n/a
CWE-434	adp	CWE-434 Unrestricted Upload of File with Dangerous Type

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N

References (9)