The File Manager plugin (wp-file-manager) before version 6.9 for WordPress has a vulnerability that allows remote attackers to upload and execute arbitrary PHP code. The vulnerability arises from the plugin renaming an unsafe example elFinder connector file to have the .php extension, enabling attackers to use elFinder commands to upload PHP code to the wp-content/plugins/wp-file-manager/lib/files/ directory. This security issue was actively exploited in August and September 2020.

Disclaimer

The content provided here is for educational purposes only. It is designed to help security enthusiasts and professionals understand vulnerabilities and improve application security. Please use the information responsibly and never for illegal activities or unauthorized testing. Always ensure you have proper authorization before performing any security testing on systems, applications, or networks.

We are not responsible for any misuse of the materials shared here or any consequences that arise from their use. All testing should be done in a controlled environment, such as the labs or Docker images we provide, or with explicit permission from system owners. By using OpenExploit resources, you agree to follow applicable laws and ethical guidelines.

About WordPress

WordPress is a popular open-source content management system (CMS) that enables users to create and manage websites with ease. Initially designed for blogging, WordPress has evolved into a highly versatile platform, supporting various types of websites such as online stores, portfolios, and business sites. It offers a user-friendly interface, extensive customization options through themes and plugins, and a robust community of developers and contributors who continuously enhance its functionality and security.

Mitigation

1. Update the File Manager plugin to version 6.9 or later, as this version addresses the vulnerability.
2. Delete or rename the unsafe example elFinder connector file to prevent it from being accessed and used maliciously.
3. Regularly review and monitor the contents of the "wp-content/plugins/wp-file-manager/lib/files/" directory to ensure no unauthorized files have been uploaded.
4. Implement additional security measures such as file upload restrictions and regular security scanning for the WordPress installation.
5. Educate users and administrators about the importance of keeping plugins updated and being cautious of suspicious activities.

Exploit Scenario

The exploit scenario for The File Manager plugin before version 6.9 for WordPress involves remote attackers taking advantage of the plugin's vulnerability to upload and execute arbitrary PHP code. The vulnerability stems from the plugin's unsafe handling of an example elFinder connector file, which it renames with a .php extension. Attackers can utilize the elFinder upload, mkfile, or put commands to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This vulnerability was actively exploited in the wild during August and September of 2020, allowing attackers to execute malicious code on affected websites.

DockerHub Link

To try out a demo environment for CVE-2020-25213, you can visit our DockerHub repository here

Video Tutorial

Video tutorials for exploiting CVE-2020-25213 is available here

About OpenExploit

OpenExploit is a learning platform dedicated to exploring and understanding vulnerabilities in open-source and widely used applications. We focus on manual exploitation techniques, enabling security enthusiasts to learn and build their skills without over-reliance on automation scripts.