Description
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view information like full paths and full paths to backup files information contained in the exposed log files.
Published: 2025-10-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The File Manager, Code Editor, and Backup by Managefy plugin leaks sensitive information through publicly exposed log files. Unauthenticated attackers can view full paths and backup file locations, which can aid in mapping the site’s file structure. The weakness is a classic CWE‑200 – Sensitive Information Exposure, leading to confidentiality loss rather than code execution or denial of service.

Affected Systems

Any WordPress instance that has the softdiscover File Manager, Code Editor, and Backup by Managefy plugin installed in a version equal to or older than 1.6.1 is affected. Site administrators should check the installed plugin version; the vulnerability applies to all releases up to and including 1.6.1.

Risk and Exploitability

The CVSS base score is 5.9, indicating moderate risk. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Because the exposed logs can be accessed without authentication, the attack vector is straightforward – any external user who can reach the publicly exposed URLs for the log files can obtain the leaked paths.

Generated by OpenCVE AI on April 22, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the File Manager, Code Editor, and Backup by Managefy plugin to the latest release (≥ 1.6.2) to eliminate the public log files.
  • Verify that the plugin’s log directory is not world‑readable; adjust file system permissions to restrict access to the web server only.
  • If immediate upgrade is not feasible, temporarily disable or delete the log files exposed by the backup module to prevent information leakage.

Generated by OpenCVE AI on April 22, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31820 The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view information like full paths and full paths to backup files information contained in the exposed log files.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 02 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Softdiscover
Softdiscover file Manager Code Editor And Backup
Wordpress
Wordpress wordpress
Vendors & Products Softdiscover
Softdiscover file Manager Code Editor And Backup
Wordpress
Wordpress wordpress

Wed, 01 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Oct 2025 03:30:00 +0000

Type Values Removed Values Added
Description The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view information like full paths and full paths to backup files information contained in the exposed log files.
Title File Manager, Code editor, backup by Managefy <= 1.6.1 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Softdiscover File Manager Code Editor And Backup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:47.058Z

Reserved: 2025-09-19T19:20:39.706Z

Link: CVE-2025-10744

cve-icon Vulnrichment

Updated: 2025-10-01T15:00:57.127Z

cve-icon NVD

Status : Deferred

Published: 2025-10-01T04:16:01.133

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10744

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses