Zero-day vulnerability in File Manager

Arbitrary file upload

The vulnerability exploitation was detected on September 1st, 2020. The attackers can remotely upload arbitrary files and execute arbitrary code.

Vulnerability details

Advisory: SB2020090202 - Arbitrary file upload in File Manager plugin for WordPress

Vulnerable component: File Manager

CVE-ID:

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

Description:

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload in wp-file-manager in the "lib/php/connector.minimal.php" and "lib/files/hardfork.php" files. A remote attacker can upload a malicious file and execute it on the server.

Note: The vulnerability is being actively exploited in the wild.