← Retour aux CVEs
CVE-2020-25213
CRITICALCISA KEV10.0
Description
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
Details CVE
Score CVSS v3.110.0
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie9/9/2020
Derniere modification11/7/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurWordPress
ProduitFile Manager Plugin
Nom vulnerabiliteWordPress File Manager Plugin Remote Code Execution Vulnerability
Date ajout KEV2021-11-03
Date limite remediation2022-05-03
Utilise dans ransomwareUnknown
Produits affectes
filemanagerpro:file_manager
Faiblesses (CWE)
CWE-434CWE-434
References
http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html(cve@mitre.org)
https://github.com/w4fz5uck5/wp-file-manager-0day(cve@mitre.org)
https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html(cve@mitre.org)
https://plugins.trac.wordpress.org/changeset/2373068(cve@mitre.org)
https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/(cve@mitre.org)
https://wordpress.org/plugins/wp-file-manager/#developers(cve@mitre.org)
https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/(cve@mitre.org)
http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/w4fz5uck5/wp-file-manager-0day(af854a3a-2127-422b-91ae-364da2661108)
https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html(af854a3a-2127-422b-91ae-364da2661108)
https://plugins.trac.wordpress.org/changeset/2373068(af854a3a-2127-422b-91ae-364da2661108)
https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/(af854a3a-2127-422b-91ae-364da2661108)
https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/(af854a3a-2127-422b-91ae-364da2661108)
https://wordpress.org/plugins/wp-file-manager/#developers(af854a3a-2127-422b-91ae-364da2661108)
https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25213(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.