CVE-2023-5907

2023-12-1120:15:07

CWE-552

[email protected]

web.nvd.nist.gov

file manager

wordpress plugin

cve-2023-5907

security vulnerability

unauthorized access

system files

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

19.6%

JSON

The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files.

Affected configurations

Vulners

NVD

Node

file_upload_managerfile_upload_managerRange<6.3

VendorProductVersionCPE
file_upload_managerfile_upload_manager*cpe:2.3:a:file_upload_manager:file_upload_manager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
file_upload_manager	file_upload_manager	*	cpe:2.3:a:file_upload_manager:file_upload_manager::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "File Manager",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "6.3"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]