CVE-2020-25213NVD

Vulnerability Summary

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.

Severity Level

CRITICAL(10.0)

Published Date

Sep 9, 2020

Last Modified

Oct 21, 2025

Exploitation Status

ACTIVE

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

N/A

CVSS v3.1 Base Metrics

Attack ComplexityLow

Attack VectorNetwork

AvailabilityHigh

ConfidentialityHigh

IntegrityHigh

Privileges RequiredNone

ScopeChanged

User InteractionNone

External References

https://wordpress.org/plugins/wp-file-manager/#developers
https://github.com/w4fz5uck5/wp-file-manager-0day
https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html
https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
https://plugins.trac.wordpress.org/changeset/2373068
https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/
https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html
http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html