Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities
Last week three WordPress file manager plugins were checked through our Plugin Security Scorecard tool. An issue identified by the tool in each plugin was flagged for us to review. That issue being that the plugin’s contained a known vulnerable library. What was curious was is that each plugin was flagged for the exact same vulnerabilities in the same library. Here is the relevant part of the results for the 1+ million install WP File Manager:
The 100,000+ install Advanced File Manager:
And finally the 80,000+ install Filester:
Was it just a coincidence that they all contained a vulnerable version of the jQuery UI library?
Before we reached out to the developers to let them know about that, we checked to make sure the tool’s information was correct. That led us to find each of them is based on the same library that provides the file manager, elFinder. The jQuery UI library is part of that library. So elFinder is still using a known vulnerable version of jQuery UI? No. The developer of that updated to a fixed version in December 2023.
So the developers of the file manager plugins haven’t bothered to update the core of their plugins in over a year. It isn’t like the developers of these plugins shouldn’t have security on their radar, prominently on the WordPress Plugin Directory page for Filester is this:
Did you know?
More than 700,000 WordPress websites were attacked during September 2020.
Malicious bots are looking to exploit vulnerable versions of WP file manager plugins.
Fortunately, Filester comes with this vulnerability fixed!
Filester poses no risk to you, so rest assured! 🤗
The developer of elFinder isn’t doing a great job either, as three of the jQuery UI vulnerabilities were disclosed by the developer of the library in October 2021 (1, 2, 3) and the last was disclosed in July 2022. If those incorporating the library in to their own solutions were more focused on security, that would help to avoid mistakes like that. But as these plugins show, that isn’t the case.
That the most popular of those plugins, WP File Manager, is affected by this shouldn’t be surprising as we have been warning not to use plugins from the developer since May 2022 because of their repeated poor handling of security. The plugin also still contains a minor vulnerability we warned the developer they had incompletely fixed a year ago.
We have notified the developers of the three plugins that their plugins contain the known vulnerable library caused by usage of an outdated version of elFinder.