← Voltar para CVEs
CVE-2020-25213
CRITICALCISA KEV10.0
Descricao
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
Detalhes CVE
Pontuacao CVSS v3.110.0
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado9/9/2020
Ultima modificacao11/7/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorWordPress
ProdutoFile Manager Plugin
Nome da vulnerabilidadeWordPress File Manager Plugin Remote Code Execution Vulnerability
Data inclusao KEV2021-11-03
Prazo de remediacao2022-05-03
Uso em ransomwareUnknown
Produtos afetados
filemanagerpro:file_manager
Fraquezas (CWE)
CWE-434CWE-434
Referencias
http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html(cve@mitre.org)
https://github.com/w4fz5uck5/wp-file-manager-0day(cve@mitre.org)
https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html(cve@mitre.org)
https://plugins.trac.wordpress.org/changeset/2373068(cve@mitre.org)
https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/(cve@mitre.org)
https://wordpress.org/plugins/wp-file-manager/#developers(cve@mitre.org)
https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/(cve@mitre.org)
http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/w4fz5uck5/wp-file-manager-0day(af854a3a-2127-422b-91ae-364da2661108)
https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html(af854a3a-2127-422b-91ae-364da2661108)
https://plugins.trac.wordpress.org/changeset/2373068(af854a3a-2127-422b-91ae-364da2661108)
https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/(af854a3a-2127-422b-91ae-364da2661108)
https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/(af854a3a-2127-422b-91ae-364da2661108)
https://wordpress.org/plugins/wp-file-manager/#developers(af854a3a-2127-422b-91ae-364da2661108)
https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-25213(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.