File Manager < 6.5 – Backup File Directory Listing | CVE 2020-24312

Description

The File Manager WordPress plugin could expose backup files if the web server had Directory Listing enabled.

The File Manager WordPress plugin, version 6.4 and lower, failed to restrict external access to the fm_backups directory with a .htaccess file. This resulted in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, which the plugin had taken.

Proof of Concept

The backup files could be found in the /wp-content/uploads/wp-file-manager-pro/fm_backup directory.

Affects Plugins

wp-file-manager

Fixed in 6.5

References

CVE

CVE-2020-24312

URL

https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/

URL

https://plugins.trac.wordpress.org/changeset/2326268/wp-file-manager

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

zerodetail & ratherbland

Verified

WPVDB ID

49533dc2-17cb-459c-af28-69a7b9b9512f

Timeline

Publicly Published

2020-08-10 (about 5 years ago)

Added

2020-08-26 (about 5 years ago)

Last Updated

2020-08-27 (about 5 years ago)

Other

Published

Title

Published

2024-04-25

Title

Solid Affiliate <= 1.9.1 - Sensitive Information Exposure

Published

2022-10-24

Title

Phone Orders for WooCommerce < 3.7.2 - Subscriber+ Sensitive Data Exposure

Published

2024-08-29

Title

Masterstudy LMS Starter < 1.1.9 - Unauthenticated Sensitive Information Exposure

Published

2021-09-09

Title

WordPress 5.4 to 5.8 - Data Exposure via REST API

Published

2025-03-24

Title

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy < 3.3.7 - Unauthenticated Private Post Title Disclosure