vulnerability

WordPress Plugin: wp-file-manager: CVE-2025-0818: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:M/Au:N/C:N/I:C/A:P)	Aug 12, 2025	Aug 13, 2025	Aug 13, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:C/A:P)

Published

Aug 12, 2025

Added

Aug 13, 2025

Modified

Aug 13, 2025

Description

Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.

Solution

wp-file-manager-plugin-cve-2025-0818

References

https://www.cve.org/CVERecord?id=CVE-2025-0818
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2a166de-3bdf-4883-91ba-655f2757c53b?source=api-prod
CVE-2025-0818
https://attackerkb.com/topics/CVE-2025-0818

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report