{"api_version":"1","generated_at":"2026-07-06T23:59:16+00:00","cve":"CVE-2020-25213","urls":{"html":"https://cve.report/CVE-2020-25213","api":"https://cve.report/api/cve/CVE-2020-25213.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-25213","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-25213"},"summary":{"title":"CVE-2020-25213","description":"The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-09-09 16:15:00","updated_at":"2023-04-03 20:15:00"},"problem_types":["CWE-434"],"metrics":[],"references":[{"url":"https://plugins.trac.wordpress.org/changeset/2373068","name":"https://plugins.trac.wordpress.org/changeset/2373068","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"403"},{"url":"https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/","name":"https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/","name":"https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/","refsource":"MISC","tags":["Press/Media Coverage","Third Party Advisory"],"title":"Millions of WordPress sites are being probed & attacked with recent plugin bug | ZDNet","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wordpress.org/plugins/wp-file-manager/#developers","name":"https://wordpress.org/plugins/wp-file-manager/#developers","refsource":"MISC","tags":["Product","Third Party Advisory"],"title":"File Manager | WordPress.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html","name":"http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html","refsource":"MISC","tags":[],"title":"WordPress File Manager 6.9 Shell Upload ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/","name":"https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Severe 0-day security vulnerability found by Seravo in WP File Manager | Seravo","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"WordPress File Manager 6.8 Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html","name":"https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"WordPress Websites Attacked via File Manager Plugin Vulnerability – HOTforSecurity","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/w4fz5uck5/wp-file-manager-0day","name":"https://github.com/w4fz5uck5/wp-file-manager-0day","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"GitHub - w4fz5uck5/wp-file-manager-0day: wp-file-manager 6.7 (Aug 2020) Wordpress Plugin 0day - Remote Code Execution","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-25213","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25213","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"25213","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webdesi9","cpe5":"file_manager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25213","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webdesi9","cpe5":"file_manager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2020","cve_id":"25213","cve":"CVE-2020-25213","vendorProject":"WordPress","product":"File Manager Plugin","vulnerabilityName":"WordPress File Manager Plugin Remote Code Execution Vulnerability","dateAdded":"2021-11-03","shortDescription":"WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-05-03","knownRansomwareCampaignUse":"Unknown","notes":"https://nvd.nist.gov/vuln/detail/CVE-2020-25213","cwes":"CWE-434","catalogVersion":"2026.07.01","updated_at":"2026-07-01 19:35:15"},"epss":{"cve_year":"2020","cve_id":"25213","cve":"CVE-2020-25213","epss":"0.973280000","percentile":"0.998880000","score_date":"2026-07-05","updated_at":"2026-07-06 00:01:23"},"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-25213","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://wordpress.org/plugins/wp-file-manager/#developers","refsource":"MISC","name":"https://wordpress.org/plugins/wp-file-manager/#developers"},{"refsource":"MISC","name":"https://github.com/w4fz5uck5/wp-file-manager-0day","url":"https://github.com/w4fz5uck5/wp-file-manager-0day"},{"url":"https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html","refsource":"MISC","name":"https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"},{"url":"https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/","refsource":"MISC","name":"https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/"},{"url":"https://plugins.trac.wordpress.org/changeset/2373068","refsource":"MISC","name":"https://plugins.trac.wordpress.org/changeset/2373068"},{"url":"https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/","refsource":"MISC","name":"https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/"},{"url":"https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/","refsource":"MISC","name":"https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html","url":"http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html"}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N","version":"3.1"},"ssvc":"Attend"}},"nvd":{"publishedDate":"2020-09-09 16:15:00","lastModifiedDate":"2023-04-03 20:15:00","problem_types":["CWE-434"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:webdesi9:file_manager:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"6.9","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"25213","Ordinal":"186624","Title":"CVE-2020-25213","CVE":"CVE-2020-25213","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"25213","Ordinal":"1","NoteData":"The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"25213","Ordinal":"2","NoteData":"2020-09-09","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"25213","Ordinal":"3","NoteData":"2020-11-10","Type":"Other","Title":"Modified"}]}}}