Back to overview

CVE-2026-6382

CRITICAL
9.1
CVSS 3.1
Description
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

Metadata

CVE ID
CVE-2026-6382
State
PUBLISHED
Assigner
WPScan
Reserved
2026-04-15 17:44 UTC
Published
2026-07-06 06:00 UTC
Last updated
2026-07-06 11:59 UTC
Vendor / Product
Unknown / FileOrganizer
Sources
cve.org  ·  NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (4)
VendorProductPlatformVersions
Unknown Advanced File Manager 0 < 5.4.12
Unknown File Manager 0 < 8.0.4
Unknown File Manager Pro 0 < 2.1.1
Unknown FileOrganizer 0 < 1.1.9
Weakness (CWE)
CWESourceDescription
cna CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.1 CRITICAL 3.1 adp CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Back to overview