WordPress Plugin Vulnerabilities

Media File Manager Advanced <= 1.1.5 - Multiple Vulnerabilites

Description

Media File Manager Advanced suffers from executing administrator actions by any authenticated user due to weak permissions checking.

An attacker is able to delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site Scripting.

Proof of Concept

Affects Plugins

Plugin icon
media-file-manager-advanced
No known fix

References

URL
https://packetstormsecurity.com/files/#131949/
URL
https://web.archive.org/web/20150912142109/https://research.evex.pw/?vuln=16

Miscellaneous

Submitter
A. Samman
Submitter twitter
Evex_1337
Verified
No
WPVDB ID
53265ed7-133d-4a1e-92fa-86e22ebffc4c

Timeline

Publicly Published
2015-05-13 (about 11 years ago)
Added
2015-05-13 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2015-07-01
Title
Powerplay Gallery - Arbitrary File Upload & SQL Injection
Published
2015-09-17
Title
WP Shop <= 3.4.3.18 - Cross-Site Scripting (XSS) & CSRF
Published
2019-11-13
Title
Email Subscribers & Newsletters < 4.2.3 - Multiple Issues
Published
2014-08-01
Title
WP Ultimate Email Marketer - Multiple Vulnerabilities
Published
2015-05-13
Title
Booking Calendar Contact Form <= 1.0.2 - Multiple Authenticated Vulnerabilities