WP File Manager

26 Feb 2025

Developer of 1+ Million Install WordPress Plugin Warned Multiple Times of Known Vulnerable Library in Plugin and Still Hasn’t Addressed It

Yesterday, we covered our finding that the 1+ million install WordPress plugin WP File Manager contains a known vulnerable version of the JavaScript library jQuery UI. While following up on another element of that situation, we ran across the developer of the library having been warned publicly about that twice in the past. The developer responded both times that they would address it and then didn’t. That also means that they knew about the problem with another library and didn’t warn the developer of it.

The first notification was in April 2023 and the response from the developer then was: [Read more]

25 Feb 2025

Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities

Last week three WordPress file manager plugins were checked through our Plugin Security Scorecard tool. An issue identified by the tool in each plugin was flagged for us to review. That issue being that the plugin’s contained a known vulnerable library. What was curious was is that each plugin was flagged for the exact same vulnerabilities in the same library. Here is the relevant part of the results for the 1+ million install WP File Manager:

[Read more]

16 Jan 2025

Developer of 1+ Million Install WordPress Plugin Hasn’t Addressed All Known Vulnerabilities Despite Making That Claim

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. We ran across an example where the problem with a developer has continued. It also suggests that a developer who isn’t making sure to mark their plugins compatible might have additional issues. And finally, the situation is a reminder that you can’t rely on plugin developers to give you accurate information on the security of their plugin.

A post from earlier this month on the support forum of the 1+ million install plugin WP File Manager was asking about compatibility with WordPress 6.7. The plugin had not been marked to be compatible with that version despite it being released in November. Someone from the developer responded that “Although the documentation currently lists compatibility up to WordPress 6.6.2, rest assured that the plugin has been tested and is fully functional with newer releases, including WordPress 6.7.1.” WordPress sends out an email ahead of new releases asking for developers to test and then mark their plugins compatible. So the failure to do that is somewhat concerning. [Read more]

1 Mar 2024

How Our Customers Helped Make WordPress Plugins More Secure, Week of March 1

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability Fixed in Finale Lite

A couple of weeks ago we noted that a vulnerability in a plugin being targeted by a hacker hadn’t been fully fixed. We also found that another plugin from the same developer was not fixed at all. This week that second plugin, Finale Lite, was fixed enough to stop exploitation. It still isn’t fully secured, though. [Read more]

29 Feb 2024

AI Helps to Detect Incomplete Security Fix Being Made to 1+ Million Install WordPress Plugin WP File Manager

We often find that attempts to fix vulnerabilities in WordPress plugin have been incomplete or failed entirely, including with vulnerabilities could certainly be targeting. For us to be able to find that, we have to know that a vulnerability was supposed to have been fixed. Developers don’t always disclose that vulnerabilities have been fixed. While that could be defensible in limited circumstances for serious vulnerabilities likely to be exploited, it usually isn’t that situation when it happens. One method we have to determine that vulnerabilities have been attempted to be fixed is using machine learning, a form of artificial intelligence (AI), to try to detect relevant changes being made to the code of plugin in the WordPress Plugin Directory. That monitoring flagged just such a change made yesterday to the 1+ million install plugin WP File Manager. The changelog for the change wouldn’t suggest a security fix as it reads, “Fixed Language issue.”

Looking at the changes made, it isn’t hard to see why it was flagged, as a nonce check, which prevents a type of vulnerability, cross-site request forgery (CSRF), was being added: [Read more]

27 Oct 2022

WP File Manager Getting Evidence Free Blame for Hacked WordPress Websites

Earlier this week we mentioned how GoDaddy’s Sucuri security service isn’t doing basic work to properly clean up hacked WordPress websites. That involved them not trying to figure out how websites are being hacked. They are not alone in that, but others take that even further by blaming something for the hack without actually knowing if that is true, as they didn’t try to figure out the source. One recent example of that involves a thread on Reddit, which had 88 upvotes, where someone, claiming to work for a web host, blamed websites being hacked on a WordPress plugin named WP File Manager. By comparison, someone asking for evidence to support the claim was downvoted. While you can point the finger at Redditors for that mess, the claims made are worth breaking down, as they show how things can go wrong when dealing with hacked websites and how those that have the misfortune of having their website hacked, can get a better outcome.

Confusion Over Outdated Software

One of mistakes the poster makes is a failure to understand the implications of outdated software. They start their post this way: [Read more]

9 May 2022

WordPress Plugin Developer Security Advisory: mndpsingh287

One of the little understood realities of security issues with WordPress plugins is that insecurity of WordPress plugins is not evenly spread across them. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that, while others either are unable or unwilling to properly secure their plugins. That includes situations where developers have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

12 Jul 2019

Not Really a WordPress Plugin Vulnerability, Week of July 12

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Path Traversal in Ad Inserter

One of the changelog entries for version 2.4.20 of Ad Inserter is “Fix for path traversal vulnerability – credit to Wilfried Bécard of Synacktiv (https://synacktiv.com)”. The relevant change looks to have replacing the following lines: [Read more]

20 Feb 2019

Just Closed File Manager WordPress Plugin with 300,000+ Installs Contains Authenticated Remote Code Execution (RCE) Vulnerability

Due to our monitoring for closures of the 1,000 most popular WordPress plugins we were notified that the plugin File Manager (WP File Manager), which has 300,000+ installs, was closed today. That a security vulnerability could have led to it being closed wouldn’t be surprising. That is in part due to one of the other plugins from the same developer, Duplicate Page, which has 700,000+ installs, being publicly known to contain multiple unfixed vulnerabilities for over a year (which no one on the WordPress side of things seems to care about), two of which we disclosed in October of 2017 after the developer didn’t respond to our notification to them of the issues. That is also in part due to the continued poor security of this plugin as well, including that it used to be fundamentally insecure and even when that was fixed it wasn’t fixed properly.

Once we were notified of the closure we started checking over the plugin to see if it had any obvious security issues. One of the things we do is to run the plugin through our Plugin Security Checker tool, which allows anyone to check for the possibility of some instances of security issues in WordPress plugins. That flagged that a function, mk_check_filemanager_php_syntax_callback(), was accessible through WordPress’ AJAX functionality to those logged in as well those logged out. The function named hinted that there might be something that shouldn’t be accessible to those not logged in at the very least. [Read more]

18 Sep 2018

Vulnerability Details: CSRF/XSS Vulnerability in File Manager (WP File Manager)

_{From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.}

…