What the vulnerability does
01Description
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.
Explanation of Vulnerability in Simple Terms
02Summary
File Manager Pro – Filester versions up to 1.8.9 contain a path traversal vulnerability that allows an attacker to write or modify files outside the intended directory. The vulnerability requires specific conditions to exploit but can result in file corruption or unauthorized modifications. Site administrators should update to a version newer than 1.8.9 as soon as possible.
What an attacker can do
03Attacker Capabilities
Write or modify files outside the intended directory on the server.
Potential impact on your site
04Site Impact
Unauthorized file modifications or corruption; potential site malfunction or data loss.
Conditions required to exploit
05Prerequisites
Network access; specific conditions must be met (attack complexity is high).
Key dates
06Disclosure timeline
August 13, 2025
CVE published
April 8, 2026
Record updated