CVE-2020-25213
Published: 09 September 2020
Summary
CVE-2020-25213 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Filemanagerpro File Manager. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
The File Manager (wp-file-manager) plugin before version 6.9 for WordPress contains an arbitrary file upload vulnerability tracked as CVE-2020-25213. The root cause is the plugin's renaming of an unsafe example elFinder connector file to a .php extension, which enables use of elFinder commands such as upload, mkfile, and put to write attacker-controlled PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. The issue is classified under CWE-434 and carries a CVSS 3.1 base score of 10.0.
Unauthenticated remote attackers can exploit the flaw over the network to upload and execute arbitrary PHP, resulting in full compromise of confidentiality, integrity, and availability with scope change to other WordPress components. Public exploit code and Metasploit modules have been available since shortly after disclosure, lowering the barrier for mass compromise of unpatched sites.
The official mitigation is to update the plugin to version 6.9 or later, as reflected in the WordPress plugin repository changeset 2373068 that removed the vulnerable connector file. Multiple public advisories and proof-of-concept reports emphasize that sites remaining on earlier releases remain exposed until the update is applied.
The vulnerability saw active exploitation in the wild during August and September 2020, with observed campaigns leveraging it for website defacement and further malware deployment.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-17903
Vulnerability details
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run…
more
the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor update that removes the unsafe elFinder connector and eliminates the arbitrary PHP upload path.
Enforces access-control decisions that would block unauthenticated remote use of the upload/mkfile/put commands before any PHP file can be written.
Requires validation of all input (including uploaded files) to reject dangerous content types such as PHP before they reach the wp-content/plugins directory.