Authenticated RCE vulnerability in WordPress Secure File Manager plugin (unpatched).

This plugin is not maintained any longer and the vulnerability has never been fixed. Make sure to follow the recommendations below.

The WordPress Secure File Manager plugin (±1,000 active installations) is prone to an authenticated remote code execution vulnerability affecting version 2.5 and below.

Authenticated Remote Code Execution

The plugin uses the same elFinder libraries as the File Manager plugin we mentioned last September.
In the “vendor/elfinder/php/connector.minimal.php” script, it loads elFinder:

if ( wp_validate_auth_cookie() ){
   runConnector();
}

The file manager communicates directly with the script using AJAX. There’s no capability check or security nonce, the only restriction being a call to the WordPress wp_validate_auth_cookie function L328, which checks if the user is authenticated or not.
Any logged-in user can run the file manager’s commands (e.g. upload, rename, create, view, delete etc). The command can be executed in any directory inside the vhost.

Timeline

Due to unsuccessful attempts to contact the author on September 02, 2020, the issue was escalated to the wordpress.org plugins team and the plugin was removed from the repo on September 08.

Recommendations

We recommend to uninstall this plugin as there isn’t any security patch available. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities