CVE-2020-25213
Summary
| CVE | CVE-2020-25213 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-09-09 16:15:00 UTC |
| Updated | 2023-04-03 20:15:00 UTC |
| Description | The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020. |
Risk And Classification
EPSS: 0.973280000 probability, percentile 0.998880000 (date 2026-07-06)
CISA KEV: Listed on 2021-11-03; due 2022-05-03; ransomware use Unknown
Problem Types: CWE-434
CISA Known Exploited Vulnerability
| Vendor | WordPress |
|---|---|
| Product | File Manager Plugin |
| Name | WordPress File Manager Plugin Remote Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2020-25213 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Webdesi9 | File Manager | All | All | All | All |
| Application | Webdesi9 | File Manager | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 403 Forbidden | MISC | plugins.trac.wordpress.org | Patch, Third Party Advisory |
| 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin | MISC | wordfence.com | Exploit, Third Party Advisory |
| Millions of WordPress sites are being probed & attacked with recent plugin bug | ZDNet | MISC | zdnet.com | Press/Media Coverage, Third Party Advisory |
| File Manager | WordPress.org | MISC | wordpress.org | Product, Third Party Advisory |
| WordPress File Manager 6.9 Shell Upload ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Severe 0-day security vulnerability found by Seravo in WP File Manager | Seravo | MISC | seravo.com | Exploit, Third Party Advisory |
| WordPress File Manager 6.8 Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| WordPress Websites Attacked via File Manager Plugin Vulnerability – HOTforSecurity | MISC | hotforsecurity.bitdefender.com | Third Party Advisory |
| GitHub - w4fz5uck5/wp-file-manager-0day: wp-file-manager 6.7 (Aug 2020) Wordpress Plugin 0day - Remote Code Execution | MISC | github.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.