WordPress Plugin Vulnerabilities

Secure File Manager <= 2.9.3 - Admin+ Arbitrary File Upload

Description

Even though the plugin does not allow malicious files such as PHP to be uploaded via the UI, tampering with the upload request bypasses such check

Proof of Concept

Affects Plugins

Plugin icon
secure-file-manager
No known fix

Miscellaneous

Original Researcher
Wu YiXuan
Submitter
Wu YiXuan
Verified
Yes
WPVDB ID
0a087bc6-1afe-434c-b522-8765a851b23d

Timeline

Publicly Published
2021-09-01 (about 4 years ago)
Added
2022-02-15 (about 4 years ago)
Last Updated
2022-02-15 (about 4 years ago)

Other

Published
Title
Published
2023-11-27
Title
BookingPress < 1.0.77 - Authenticated (Administrator+) Arbitrary File Upload
Published
2025-06-11
Title
Flozen < 1.5.1 - Unauthenticated Arbitrary File Upload
Published
2015-06-29
Title
N-Media File Uploader <= 3.7 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
drag & drop file upload 0.1 - Arbitrary File Upload
Published
2015-04-09
Title
Windows Desktop And iPhone Photo Uploader <= 1.8 - File Upload