File Manager < 7.2.2 – Sensitive Information Exposure via Backup Filenames | CVE 2024-0761 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Sensitive Information Exposure due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where the .htaccess file in the directory does not block access.

Affects Plugins

wp-file-manager

Fixed in 7.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Yuki Haruma

Verified

No

WPVDB ID

e1b4077a-2b56-4fd9-9a19-d758dacb08a4

Timeline

Publicly Published

2024-01-22 (about 2 years ago)

Added

2024-01-26 (about 2 years ago)

Last Updated

2024-01-26 (about 2 years ago)

Other

Published

Title

Published

2024-03-20

Title

Avada < 7.11.7 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing

Published

2026-01-27

Title

JobBoard Job listing <= 1.2.8 - Unauthenticated Information Exposure

Published

2024-10-23

Title

Elementor Header & Footer Builder < 1.6.44 - Authenticated (Contributor+) Information Disclosure via Shortcode

Published

2022-01-14

Title

Futurio Extra < 1.6.3 - Subscriber+ User Email Address Disclosure

Published

2025-03-24

Title

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy < 3.3.7 - Unauthenticated Private Post Title Disclosure