WordPress File Manager Plugin Remote Code Execution Vulnerability


On 1st September 2020, researchers at Wordfence published a blog regarding a remote code execution vulnerability in WordPress File Manager plugin. Successful exploitation of this vulnerability allows unauthenticated remote attackers to execute commands and upload malicious files and shells on a target website. The vulnerability currently does not have any CVE assigned to it and it has a CVSSv3 score of 10.0 with severity marked as Critical.


The File Manager plugin allows website admins to edit, delete, upload files and folders directly from the back-end without having to use FTP. According to researchers, the vulnerability exists due to an open-source file manager library called elFinder used in the plugin. It was observed that the file connector.minimal.php-dist was stored in an executable format renamed to .php, which can be accessed by anyone to execute commands via a function in elFinderConnector.class.php.

As per researchers the connector.minimal.php.dist file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file

// run elFinder
$connector = new elFinderConnector(new elFinder($opts));


Any parameters sent in a request to connector.minimal.php was processed by the run() function in the elFinderConnector.class.php file, including the command supplied in the cmd parameter.

public function run()
$isPost = $this->reqMethod === 'POST';
$src = $isPost ? array_merge($_GET, $_POST) : $_GET;
$maxInputVars = (!$src || isset($src['targets'])) ? ini_get('max_input_vars') : null;
if ((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')) {
// for max_input_vars and supports IE XDomainRequest()
$parts = explode('&', $rawPostData);
if (!$src || $maxInputVars < count($parts)) {
$src = array();
foreach ($parts as $part) {
list($key, $value) = array_pad(explode('=', $part), 2, '');
$key = rawurldecode($key);
if (preg_match('/^(.+?)\[([^\[\]]*)\]$/', $key, $m)) {
$key = $m[1];
$idx = $m[2];
if (!isset($src[$key])) {
$src[$key] = array();
if ($idx) {
$src[$key][$idx] = rawurldecode($value);
} else {
$src[$key][] = rawurldecode($value);
} else {
$src[$key] = rawurldecode($value);
$_POST = $this->input_filter($src);
$_REQUEST = $this->input_filter(array_merge_recursive($src, $_REQUEST));

if (isset($src['targets']) && $this->elFinder->maxTargets && count($src['targets']) > $this->elFinder->maxTargets) {
$this->output(array('error' => $this->elFinder->error(elFinder::ERROR_MAX_TARGTES)));

$cmd = isset($src['cmd']) ? $src['cmd'] : '';
$args = array();


Attackers can exploit this vulnerability by sending a specially crafted request to the connector.minimal.php file. Successful exploitation of this vulnerability would allow unauthenticated attackers to execute commands and upload malicious files, shells on a target website.

A proof of concept (PoC) exploit was published on a Github repository for this vulnerability. With the plugin having been installed on over 700,000 active WordPress websites, the vulnerability is actively being exploited in the wild.

Affected Versions:

File Manager plugin 6.0-6.8


The vendor has released a patch to address this vulnerability. Customers are recommended to update the File Manager plugin to version 6.9.


Qualys customers can scan their network with QID 13966 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.



Leave a Reply

Your email address will not be published. Required fields are marked *