File Manager Pro – Filester < 1.8.9 – Administrator+ Arbitrary File Upload | CVE 2025-3234 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites.

Affects Plugins

Fixed in 1.8.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/00df02cd-b4d3-477a-86ee-aa2f9b5216e8

Miscellaneous

Original Researcher

TANG Cheuk Hei (siunam)

Verified

No

WPVDB ID

b1aa7ee5-302f-4930-83e6-ccad4806593a

Timeline

Publicly Published

2025-06-13 (about 1 year ago)

Added

2025-06-16 (about 1 year ago)

Last Updated

2025-06-16 (about 1 year ago)

Other

Published

Title

Published

2014-09-28

Title

N-Media File Uploader < 3.5 Arbitrary File Upload

Published

2014-08-01

Title

Annonces 1.2.0.1 - Shell Upload

Published

2024-04-22

Title

WP-Lister Lite for eBay < 3.6.0 - Authenticated (Shop Manager+) Arbitrary File Upload

Published

2024-10-28

Title

WP donimedia carousel <= 1.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2026-03-23

Title

WPBookit Pro <= 1.6.18 - Authenticated (Subscriber+) Arbitrary File Upload