WordPress Plugin Vulnerabilities

Secure File Manager <= 2.9.3 - Admin+ RCE

Description

In the plugin, high privilege users such as admin could upload php files by changing the content type and renaming the .php to extension to .phtml

Affects Plugins

Plugin icon
secure-file-manager
No known fix

References

URL
https://github.com/Hacker5preme/SFM-Exploit

Miscellaneous

Original Researcher
Ron Jost
Submitter
Ron Jost
Submitter website
https://github.com/Hacker5preme
Verified
Yes
WPVDB ID
c55ed18f-95e1-42e6-81d9-832ad8f55224

Timeline

Publicly Published
2021-09-01 (about 4 years ago)
Added
2022-02-15 (about 4 years ago)
Last Updated
2022-04-08 (about 4 years ago)

Other

Published
Title
Published
2022-11-21
Title
Motors - Car Dealer, Classifieds & Listing < 1.4.4 - Arbitrary File Upload
Published
2014-09-28
Title
N-Media File Uploader < 3.5 Arbitrary File Upload
Published
2022-07-18
Title
Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload
Published
2025-05-07
Title
BEAF < 4.6.11 - Authenticated (Admin+) Arbitrary File Upload
Published
2015-07-06
Title
ACF Frontend Display <= 2.0.6 - Arbitrary File Upload