CVE-2024-0761

The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where the .htaccess file in the directory does not block access.
Configurations

Configuration 1 (hide)

cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:*:wordpress:*:*

History

24 Mar 2025, 14:32

Type Values Removed Values Added
CPE cpe:2.3:a:webdesi9:file_manager:*:*:*:*:*:wordpress:*:* cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:*:wordpress:*:*
First Time Filemanagerpro
Filemanagerpro file Manager

21 Nov 2024, 08:47

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/changeset/3023403/wp-file-manager/trunk/file_folder_manager.php?old=2984933&old_path=wp-file-manager%2Ftrunk%2Ffile_folder_manager.php - Patch () https://plugins.trac.wordpress.org/changeset/3023403/wp-file-manager/trunk/file_folder_manager.php?old=2984933&old_path=wp-file-manager%2Ftrunk%2Ffile_folder_manager.php - Patch
References () https://wordpress.org/plugins/wp-file-manager/ - Product () https://wordpress.org/plugins/wp-file-manager/ - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176?source=cve - Third Party Advisory
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 8.1

13 Feb 2024, 17:16

Type Values Removed Values Added
First Time Webdesi9 file Manager
Webdesi9
CWE CWE-330
References () https://plugins.trac.wordpress.org/changeset/3023403/wp-file-manager/trunk/file_folder_manager.php?old=2984933&old_path=wp-file-manager%2Ftrunk%2Ffile_folder_manager.php - () https://plugins.trac.wordpress.org/changeset/3023403/wp-file-manager/trunk/file_folder_manager.php?old=2984933&old_path=wp-file-manager%2Ftrunk%2Ffile_folder_manager.php - Patch
References () https://wordpress.org/plugins/wp-file-manager/ - () https://wordpress.org/plugins/wp-file-manager/ - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/1928f8e4-8bbe-4a3f-8284-aa12ca2f5176?source=cve - Third Party Advisory
Summary
  • (es) El complemento File Manager para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 7.2.1 incluida, debido a una aleatoriedad insuficiente en los nombres de los archivos de respaldo, que utilizan una marca de tiempo más 4 dígitos aleatorios. Esto hace posible que atacantes no autenticados extraigan datos confidenciales, incluidas copias de seguridad del sitio, en configuraciones donde el archivo .htaccess en el directorio no bloquea el acceso.
CPE cpe:2.3:a:webdesi9:file_manager:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 7.5

05 Feb 2024, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-05 22:16

Updated : 2025-03-24 14:32


NVD link : CVE-2024-0761

Mitre link : CVE-2024-0761

CVE.ORG link : CVE-2024-0761


JSON object : View

Products Affected

filemanagerpro

  • file_manager
CWE
CWE-330

Use of Insufficiently Random Values