{"api_version":"1","generated_at":"2026-07-11T14:47:28+00:00","cve":"CVE-2026-6382","urls":{"html":"https://cve.report/CVE-2026-6382","api":"https://cve.report/api/cve/CVE-2026-6382.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6382","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6382"},"summary":{"title":"Multiple elFinder Plugins - Authenticated OS Command Injection","description":"The FileOrganizer  WordPress plugin before 1.1.9, Advanced File Manager  WordPress plugin before 5.4.12, File Manager Pro  WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.","state":"PUBLISHED","assigner":"WPScan","published_at":"2026-07-06 08:16:36","updated_at":"2026-07-06 18:37:01"},"problem_types":["CWE-94 Improper Control of Generation of Code ('Code Injection')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://wpscan.com/vulnerability/a27f70b7-a4cc-42fa-88c1-19adfe1593a8/","name":"https://wpscan.com/vulnerability/a27f70b7-a4cc-42fa-88c1-19adfe1593a8/","refsource":"contact@wpscan.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6382","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6382","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Unknown","product":"FileOrganizer","version":"affected 1.1.9 semver","platforms":[]},{"source":"CNA","vendor":"Unknown","product":"Advanced File Manager","version":"affected 5.4.12 semver","platforms":[]},{"source":"CNA","vendor":"Unknown","product":"File Manager Pro","version":"affected 2.1.1 semver","platforms":[]},{"source":"CNA","vendor":"Unknown","product":"File Manager","version":"affected 8.0.4 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"mcdruid","lang":"en"},{"source":"CNA","value":"WPScan","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"6382","cve":"CVE-2026-6382","epss":"0.009020000","percentile":"0.554180000","score_date":"2026-07-08","updated_at":"2026-07-09 00:13:15"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-6382","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-06T11:59:11.815709Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-06T11:59:43.823Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"FileOrganizer","vendor":"Unknown","versions":[{"lessThan":"1.1.9","status":"affected","version":"0","versionType":"semver"}]},{"defaultStatus":"unaffected","product":"Advanced File Manager","vendor":"Unknown","versions":[{"lessThan":"5.4.12","status":"affected","version":"0","versionType":"semver"}]},{"defaultStatus":"unaffected","product":"File Manager Pro","vendor":"Unknown","versions":[{"lessThan":"2.1.1","status":"affected","version":"0","versionType":"semver"}]},{"defaultStatus":"unaffected","product":"File Manager","vendor":"Unknown","versions":[{"lessThan":"8.0.4","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"mcdruid"},{"lang":"en","type":"coordinator","value":"WPScan"}],"descriptions":[{"lang":"en","value":"The FileOrganizer  WordPress plugin before 1.1.9, Advanced File Manager  WordPress plugin before 5.4.12, File Manager Pro  WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions."}],"problemTypes":[{"descriptions":[{"description":"CWE-94 Improper Control of Generation of Code ('Code Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-06T06:00:02.217Z","orgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","shortName":"WPScan"},"references":[{"tags":["exploit","vdb-entry","technical-description"],"url":"https://wpscan.com/vulnerability/a27f70b7-a4cc-42fa-88c1-19adfe1593a8/"}],"source":{"discovery":"EXTERNAL"},"title":"Multiple elFinder Plugins - Authenticated OS Command Injection","x_generator":{"engine":"WPScan CVE Generator"}}},"cveMetadata":{"assignerOrgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","assignerShortName":"WPScan","cveId":"CVE-2026-6382","datePublished":"2026-07-06T06:00:02.217Z","dateReserved":"2026-04-15T17:44:55.095Z","dateUpdated":"2026-07-06T11:59:43.823Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-06 08:16:36","lastModifiedDate":"2026-07-06 18:37:01","problem_types":["CWE-94 Improper Control of Generation of Code ('Code Injection')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T11:59:11.815709Z","id":"CVE-2026-6382","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6382","Ordinal":"1","Title":"Multiple elFinder Plugins - Authenticated OS Command Injection","CVE":"CVE-2026-6382","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6382","Ordinal":"1","NoteData":"The FileOrganizer  WordPress plugin before 1.1.9, Advanced File Manager  WordPress plugin before 5.4.12, File Manager Pro  WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.","Type":"Description","Title":"Multiple elFinder Plugins - Authenticated OS Command Injection"}]}}}