CVE-2025-0818 MEDIUM

CVE-2025-0818: Multiple elFinder Plugins <= (Various Versions) - Directory Traversal to Arbitrary File Deletion

Vendor Ninjateam
Product File Manager Pro – Filester
Weakness CWE-22 · Path traversal
Published August 13, 2025
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.

Explanation of Vulnerability in Simple Terms

02Summary

File Manager Pro – Filester versions up to 1.8.9 contain a path traversal vulnerability that allows an attacker to write or modify files outside the intended directory. The vulnerability requires specific conditions to exploit but can result in file corruption or unauthorized modifications. Site administrators should update to a version newer than 1.8.9 as soon as possible.

What an attacker can do

03Attacker Capabilities

Write or modify files outside the intended directory on the server.

Potential impact on your site

04Site Impact

Unauthorized file modifications or corruption; potential site malfunction or data loss.

Conditions required to exploit

05Prerequisites

Network access; specific conditions must be met (attack complexity is high).

Key dates

06Disclosure timeline

August 13, 2025 CVE published
April 8, 2026 Record updated