Vendor CVEs
Filemanagerpro
All CVEs
36 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-6825 | Cri | 0.70 | 9.9 | 0.06 | Mar 13, 2024 | The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function.… | ||
| CVE-2026-39640 | Cri | 0.62 | 9.6 | 0.00 | Apr 8, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2. | ||
| CVE-2023-6846 | Hig | 0.58 | 8.8 | 0.16 | Feb 5, 2024 | The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute… | ||
| CVE-2023-50700 | Hig | 0.51 | 7.8 | 0.00 | Jul 26, 2024 | Insecure Permissions vulnerability in Deepin dde-file-manager 6.0.54 and earlier allows privileged operations to be called by unprivileged users via the D-Bus method. | ||
| CVE-2024-1538 | Hig | 0.51 | 8.8 | 0.11 | Mar 21, 2024 | The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it… | ||
| CVE-2025-30834 | Hig | 0.49 | 7.5 | 0.00 | Apr 1, 2025 | Path Traversal: '.../...//' vulnerability in Bit Apps Bit Assist bit-assist allows Path Traversal.This issue affects Bit Assist: from n/a through <= 1.5.4. | ||
| CVE-2025-68008 | Hig | 0.46 | 7.1 | 0.00 | Jan 22, 2026 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. | ||
| CVE-2025-23536 | Hig | 0.46 | 7.1 | 0.00 | Mar 3, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 Track Page Scroll track-page-scroll allows Reflected XSS.This issue affects Track Page Scroll: from n/a through <= 1.0.2. | ||
| CVE-2024-0761 | Hig | 0.46 | 8.1 | 0.01 | Feb 5, 2024 | The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated… | ||
| CVE-2025-58822 | Med | 0.42 | 6.5 | 0.00 | Sep 5, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows DOM-Based XSS.This issue affects WP Mail: from n/a through <= 1.3. | ||
| CVE-2023-7015 | Med | 0.40 | 6.1 | 0.00 | Mar 13, 2024 | The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject… | ||
| CVE-2025-52710 | Med | 0.38 | 5.9 | 0.00 | Jun 20, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ninja Team File Manager Pro filester allows Stored XSS.This issue affects File Manager Pro: from n/a through <= 1.8.8. | ||
| CVE-2023-51371 | Med | 0.38 | 5.9 | 0.00 | Dec 29, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bit Assist Chat Widget: WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support… | ||
| CVE-2024-2654 | Med | 0.37 | 6.8 | 0.01 | Apr 9, 2024 | The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary… | ||
| CVE-2022-47599 | Med | 0.36 | 5.5 | 0.01 | Dec 20, 2023 | Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.This issue affects File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File… | ||
| CVE-2025-68596 | Med | 0.34 | 5.3 | 0.00 | Dec 24, 2025 | Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bit Assist: from n/a through <= 1.5.11. | ||
| CVE-2024-37254 | Med | 0.28 | 4.3 | 0.00 | Nov 1, 2024 | Missing Authorization vulnerability in mndpsingh287 File Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects File Manager: from n/a through 7.2.7. | ||
| CVE-2024-1640 | Med | 0.27 | 5.3 | 0.00 | Mar 13, 2024 | The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all… | ||
| CVE-2022-50891 | 0.00 | — | 0.00 | Jan 13, 2026 | Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to… | |||
| CVE-2022-50890 | 0.00 | — | 0.01 | Jan 13, 2026 | Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system… | |||
| CVE-2025-0822 | 0.00 | — | 0.01 | Feb 15, 2025 | Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the… | |||
| CVE-2025-0821 | 0.00 | — | 0.01 | Feb 14, 2025 | Bit Assist plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes… | |||
| CVE-2024-13791 | 0.00 | — | 0.01 | Feb 14, 2025 | Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the downloadResponseFile() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary… | |||
| CVE-2024-12331 | 0.00 | — | 0.00 | Dec 19, 2024 | The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with… | |||
| CVE-2024-9669 | 0.00 | — | 0.01 | Nov 28, 2024 | The File Manager Pro – Filester plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 1.8.5 via the 'fm_locale' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to… | |||
| CVE-2024-8066 | 0.00 | — | 0.01 | Nov 28, 2024 | The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access… | |||
| CVE-2018-25105 | 0.00 | — | 0.01 | Oct 16, 2024 | The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and… | |||
| CVE-2024-8746 | 0.00 | — | 0.01 | Oct 16, 2024 | The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in all versions up to, and including, 8.3.9. This makes it possible for… | |||
| CVE-2022-2440 | 0.00 | — | 0.01 | Aug 29, 2024 | The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper… | |||
| CVE-2023-26321 | 0.00 | — | 0.01 | Aug 28, 2024 | A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file. | |||
| CVE-2024-7660 | 0.00 | — | 0.00 | Aug 11, 2024 | A vulnerability has been found in SourceCodester File Manager App 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Add File Handler. The manipulation of the argument File Title/Uploaded By leads to cross site… | |||
| CVE-2024-7031 | 0.00 | — | 0.01 | Aug 3, 2024 | The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated… | |||
| CVE-2024-2604 | 0.00 | — | 0.01 | Mar 18, 2024 | A vulnerability was found in SourceCodester File Manager App 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/update-file.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated… | |||
| CVE-2023-5790 | 0.00 | — | 0.01 | Oct 26, 2023 | A vulnerability classified as critical was found in SourceCodester File Manager App 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-file.php. The manipulation of the argument uploadedFileName leads to unrestricted upload. The attack can… | |||
| CVE-2019-14758 | 0.00 | — | 0.01 | Sep 14, 2020 | An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed File Manager application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a file via email to the victim that will inject HTML into the File Manager application (assuming the victim… | |||
| CVE-2019-8345 | 0.00 | — | 0.00 | Feb 15, 2019 | The Help feature in the ES File Explorer File Manager application 4.1.9.7.4 for Android allows session hijacking by a Man-in-the-middle attacker on the local network because HTTPS is not used, and an attacker's web site is displayed in a WebView with no information about the URL. |
- risk 0.70cvss 9.9epss 0.06
The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function.…
- risk 0.62cvss 9.6epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
- risk 0.58cvss 8.8epss 0.16
The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute…
- risk 0.51cvss 7.8epss 0.00
Insecure Permissions vulnerability in Deepin dde-file-manager 6.0.54 and earlier allows privileged operations to be called by unprivileged users via the D-Bus method.
- risk 0.51cvss 8.8epss 0.11
The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it…
- risk 0.49cvss 7.5epss 0.00
Path Traversal: '.../...//' vulnerability in Bit Apps Bit Assist bit-assist allows Path Traversal.This issue affects Bit Assist: from n/a through <= 1.5.4.
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3.
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 Track Page Scroll track-page-scroll allows Reflected XSS.This issue affects Track Page Scroll: from n/a through <= 1.0.2.
- risk 0.46cvss 8.1epss 0.01
The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated…
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows DOM-Based XSS.This issue affects WP Mail: from n/a through <= 1.3.
- risk 0.40cvss 6.1epss 0.00
The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ninja Team File Manager Pro filester allows Stored XSS.This issue affects File Manager Pro: from n/a through <= 1.8.8.
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bit Assist Chat Widget: WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support…
- risk 0.37cvss 6.8epss 0.01
The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary…
- risk 0.36cvss 5.5epss 0.01
Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.This issue affects File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File…
- risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bit Assist: from n/a through <= 1.5.11.
- risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in mndpsingh287 File Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects File Manager: from n/a through 7.2.7.
- risk 0.27cvss 5.3epss 0.00
The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all…
- CVE-2022-50891Jan 13, 2026risk 0.00cvss —epss 0.00
Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. Attackers can craft URLs targeting the download and list endpoints with embedded script tags to…
- CVE-2022-50890Jan 13, 2026risk 0.00cvss —epss 0.01
Owlfiles File Manager 12.0.1 contains a path traversal vulnerability in its built-in HTTP server that allows attackers to access system directories. Attackers can exploit the vulnerability by crafting GET requests with directory traversal sequences to access restricted system…
- CVE-2025-0822Feb 15, 2025risk 0.00cvss —epss 0.01
Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the…
- CVE-2025-0821Feb 14, 2025risk 0.00cvss —epss 0.01
Bit Assist plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes…
- CVE-2024-13791Feb 14, 2025risk 0.00cvss —epss 0.01
Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the downloadResponseFile() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary…
- CVE-2024-12331Dec 19, 2024risk 0.00cvss —epss 0.00
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with…
- CVE-2024-9669Nov 28, 2024risk 0.00cvss —epss 0.01
The File Manager Pro – Filester plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 1.8.5 via the 'fm_locale' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to…
- CVE-2024-8066Nov 28, 2024risk 0.00cvss —epss 0.01
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access…
- CVE-2018-25105Oct 16, 2024risk 0.00cvss —epss 0.01
The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and…
- CVE-2024-8746Oct 16, 2024risk 0.00cvss —epss 0.01
The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in all versions up to, and including, 8.3.9. This makes it possible for…
- CVE-2022-2440Aug 29, 2024risk 0.00cvss —epss 0.01
The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper…
- CVE-2023-26321Aug 28, 2024risk 0.00cvss —epss 0.01
A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file.
- CVE-2024-7660Aug 11, 2024risk 0.00cvss —epss 0.00
A vulnerability has been found in SourceCodester File Manager App 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Add File Handler. The manipulation of the argument File Title/Uploaded By leads to cross site…
- CVE-2024-7031Aug 3, 2024risk 0.00cvss —epss 0.01
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated…
- CVE-2024-2604Mar 18, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in SourceCodester File Manager App 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/update-file.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated…
- CVE-2023-5790Oct 26, 2023risk 0.00cvss —epss 0.01
A vulnerability classified as critical was found in SourceCodester File Manager App 1.0. Affected by this vulnerability is an unknown functionality of the file endpoint/add-file.php. The manipulation of the argument uploadedFileName leads to unrestricted upload. The attack can…
- CVE-2019-14758Sep 14, 2020risk 0.00cvss —epss 0.01
An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed File Manager application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a file via email to the victim that will inject HTML into the File Manager application (assuming the victim…
- CVE-2019-8345Feb 15, 2019risk 0.00cvss —epss 0.00
The Help feature in the ES File Explorer File Manager application 4.1.9.7.4 for Android allows session hijacking by a Man-in-the-middle attacker on the local network because HTTPS is not used, and an attacker's web site is displayed in a WebView with no information about the URL.