WordPress Plugin Vulnerabilities

Secure File Manager < 2.8.2 - Authenticated Remote Code Execution

Description

The Secure File Manager uses the elFinder libraries in an insecure way, allowing authenticated users to execute arbitrary file management commands.

v2.6 attempted to fix the issue by adding a CSRF nonce, however the nonce is displayed for all users in the Dashboard via the Secure File Manager menu (even though it will display an Unauthorized Access error for non admin users)

Proof of Concept

Affects Plugins

Plugin icon
secure-file-manager
Fixed in 2.8.2

References

CVE
CVE-2020-35235
URL
https://blog.nintechnet.com/authenticated-rce-vulnerability-in-wordpress-secure-file-manager-plugin-unpatched/

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
NinTechNet
Verified
Yes
WPVDB ID
47c1639f-4558-4cb6-8f50-e5e8564663c2

Timeline

Publicly Published
2020-11-23 (about 5 years ago)
Added
2020-11-23 (about 5 years ago)
Last Updated
2021-06-08 (about 4 years ago)

Other

Published
Title
Published
2015-04-21
Title
MailChimp Subscribe Form <= 1.1 - Email Field Remote PHP Code Execution
Published
2026-01-15
Title
Event Tickets with Ticket Scanner < 2.8.6 - Unauthenticated Remote Code Execution
Published
2021-09-13
Title
EditorsKit < 1.31.6 - Contributor+ Arbitrary PHP Code Execution
Published
2023-11-24
Title
Vrm 360 3D Model Viewer <= 1.2.1 - Contributor+ Arbitrary File Upload Leading to RCE
Published
2025-03-07
Title
Code Snippets CPT <= 2.1.0 - Authenticated (Subscriber+) Arbitrary Shortcode Execution