File Manager < 6.3 – Admin+ Arbitrary OS File/Folder Access + Path Traversal | CVE 2023-5907 | Plugin Vulnerabilities

Description

The plugin does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files.

Proof of Concept

1. Go to settings page (/wordpress/wp-admin/admin.php?page=file-manager-settings).
2. In the “Root Folder Path” setting, change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc.
3. Then navigate to the page of plugin (/wordpress/wp-admin/admin.php?page=file-manager#elf_l1_Lw).
4. You will be able to list the files/folders outside of the WordPress root directory.

Affects Plugins

Fixed in 6.3

References

CVE

URL

https://research.cleantalk.org/cve-2023-5907-file-manager-6-3-arbitrary-os-file-folder-access-path-traversal

YouTube Video

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

f250226f-4a05-4d75-93c4-5444a4ce919e

Timeline

Publicly Published

2023-11-20 (about 2 years ago)

Added

2023-11-20 (about 2 years ago)

Last Updated

2023-11-24 (about 2 years ago)

Other

Published

Title

Published

2022-10-14

Title

WP All Import < 3.6.9 - Admin+ Directory traversal via file upload

Published

2019-03-07

Title

Caldera Forms Pro < 1.8.2 - Unauthenticated Arbitrary File Read

Published

2025-10-15

Title

Download Counter Button <= 1.8.6.7 - Unauthenticated Arbitrary File Download

Published

2023-03-20

Title

All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal

Published

2024-01-03

Title

WP Compress < 6.10.34 - Unauthenticated Arbitrary File Read