CVE-2025-0818
Description
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Several WordPress plugins using elFinder ≤2.1.64 allow unauthenticated directory traversal and arbitrary file deletion, requiring explicit file manager exposure by the site owner.
Vulnerability
Overview
CVE-2025-0818 describes a directory traversal vulnerability in elFinder versions 2.1.64 and prior, which is an open-source file manager for web applications written in JavaScript and jQuery UI [1]. The bug resides in the PHP backend of elFinder, specifically where file operations handle path names without sufficient sanitization, allowing traversal outside the intended root directory. This flaw impacts multiple WordPress plugins that bundle elFinder as a component, exposing sites to potential file deletion attacks.
Exploitation
Requirements
Exploitation of this vulnerability requires that a site owner has explicitly made an instance of the elFinder file manager available to end users, typically by configuring a plugin or integration that renders the interface. The attack is carried out by an unauthenticated attacker who sends crafted requests containing directory traversal sequences (e.g., ../) to delete files outside the intended scope. No prior authentication is needed, as the file manager's public-facing interface can be reached directly. The vulnerable code path in elFinder.class.php (line 5367) processes file paths without proper validation, enabling an attacker to escape the designated base directory [2].
Impact
Successful exploitation allows an unauthenticated attacker to delete arbitrary files on the server, which could lead to data loss, website defacement, or further compromise if critical files (e.g., configuration files, backups) are removed. Since the vulnerability enables file deletion but not reading, the primary risk is destructive: an attacker can systematically remove files, potentially causing a denial of service or facilitating privilege escalation by deleting authentication-related files.
Mitigation
Users of elFinder must update to version 2.1.65 or later, where the directory traversal issue has been patched. The elFinder project strongly warns against running versions 2.1.67 or earlier on public servers due to severe security risks [1]. Site owners should also audit any WordPress plugins that bundle elFinder to ensure they are using an updated version. As a workaround, if updating is not immediately possible, removing the file manager from public access is advised.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/Studio-42/elFinder/blob/master/php/elFinder.class.phpnvd
- plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/library/php/elFinder.class.phpnvd
- plugins.trac.wordpress.org/browser/filester/trunk/includes/File_manager/lib/php/elFinder.class.phpnvd
- plugins.trac.wordpress.org/browser/wp-file-manager/trunk/lib/php/elFinder.class.phpnvd
- plugins.trac.wordpress.org/changeset/3319016/filesternvd
- plugins.trac.wordpress.org/changeset/3335715/file-manager-advanced/trunk/application/library/php/elFinder.class.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/c2a166de-3bdf-4883-91ba-655f2757c53bnvd
News mentions
0No linked articles in our index yet.