Description The plugin is vulnerable from an RCE (Remote Code Execution) vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges.
PoC
- Go to main dashboard of plugin http://your_site/wordpress/wp-admin/edit.php?post_type=filr 2) Add new File 3) Upload file with extention “phar” and malicious code inside, like 4) Go to http://your_site/wordpress/wp-content/uploads/filr/{number_of_post}/cmd.phar?cmd=ps+aux (or pwd or id) and do RCE