High Severity Arbitrary File Upload Vulnerability Patched in File Manager Pro WordPress Plugin

On December 14th, 2023, shortly after the launch of the Wordfence Holiday Bug Extravaganza, they received a submission for an Arbitrary File Upload vulnerability in File Manager Pro, a WordPress plugin with an estimated 10,000+ active installations. This vulnerability made it possible for authenticated attackers to create a PHP file that could contain malicious content and be used for complete site takeover.

Props to Tobias Weißhaar who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $657.00 for this discovery during our Bug Bounty Program Extravaganza. Although the installation count would typically place this vulnerability out of scope for our bug bounty program, the severity and ease of exploitation combined with the much larger installation count of the free version of the plugin warranted some flexibility.

Paid Wordfence users received a firewall rule to protect against any exploits targeting this vulnerability on January 8, 2024. Sites still using the free version of Wordfence received the same protection on February 7, 2024.

Wordfence contacted the File Manager developer team on December 14th, 2023, and received a response on December 15th, 2023. After providing full disclosure details, the developer released a patch on January 8th, 2024.

We urge users to update their sites with the latest patched version of File Manager Pro, version 8.3.5 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/01/high-severity-arbitrary-file-upload-vulnerability-patched-in-file-manager-pro-wordpress-plugin

Posted in Vulnerability.