Description
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites.
Published: 2025-06-14
Score: 7.2 High
EPSS: 1.4% Low
KEV: No
Impact: Arbitrary File Upload leading to potential Remote Code Execution
Action: Update Plugin
AI Analysis

Impact

The File Manager Pro – Filester plugin in WordPress allows authenticated users with Administrator-level access to upload files without proper file type validation, raising the risk of arbitrary file uploads. Because uploaded files can be executed on the server, the flaw can lead to remote code execution. The weakness is identified as CWE-434.

Affected Systems

Vulnerable versions are all releases up to and including 1.8.8 of ninjateam:File Manager Pro – Filester. Administrators are required to exploit the flaw, and the plugin’s permission model can extend upload privileges to lower-level users such as subscribers, expanding the attack surface.

Risk and Exploitability

The CVSS score is 7.2, indicating a high severity. The EPSS score of 1% shows that, while exploitation is possible, it is not among the most frequently observed vulnerabilities. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed public exploits yet. Exploitation requires authenticated Administrator access and the ability to upload a crafted file, which could be achieved by an attacker who already compromises an account with sufficient privileges or through social engineering to gain such access.

Generated by OpenCVE AI on April 22, 2026 at 17:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade File Manager Pro – Filester to the latest version that includes proper file type validation (skip vulnerable 1.8.8 and below).
  • Revoke file manager upload privileges from non-administrator accounts, especially subscribers, to limit the potential impact.
  • Disable the plugin’s file upload feature or implement server‑side file type checks as a temporary workaround until the official patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 17:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18320 The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites.
History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00315}

 epss

{'score': 0.00343}

Sat, 14 Jun 2025 05:45:00 +0000

Type Values Removed Values Added
Description The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites.
Title File Manager Pro – Filester <= 1.8.8 - Authenticated (Administrator+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:24.218Z

Reserved: 2025-04-03T18:14:00.849Z

Link: CVE-2025-3234

cve-icon Vulnrichment

Updated: 2025-06-16T16:49:05.092Z

cve-icon NVD

Status : Deferred

Published: 2025-06-14T06:15:18.117

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses