Description
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.
Published: 2025-08-28
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Disclosure
Action: Immediate Patch
AI Analysis

Impact

The File Manager, Code Editor, and Backup by Managefy plugin for WordPress has a path traversal flaw in the ajax_downloadfile() function that lets an authenticated user with Subscriber-level access and above download files outside the intended directory, enabling confidential data disclosure.

Affected Systems

All WordPress installations running the softdiscover File Manager, Code Editor, and Backup by Managefy plugin version 1.4.8 or earlier are affected; the publisher is Softdiscover.

Risk and Exploitability

The CVSS score is 4.9, reflecting a low‑to‑moderate threat, and the EPSS score of less than 1% indicates that exploitation is currently unlikely, but the vulnerability is not listed in CISA's KEV catalog. Because the flaw requires legitimate credentials, only users with Subscriber or higher roles can abuse it; an attacker who compromises such a user could download arbitrary files from the host, potentially exposing sensitive system or application data. No public exploit has been reported.

Generated by OpenCVE AI on April 20, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the File Manager, Code Editor, and Backup by Managefy plugin to the latest version or apply the vendor's security patch if one is available.
  • If a patch is not available, disable or uninstall the vulnerable plugin to eliminate the attack surface.
  • Restrict WordPress user roles by ensuring that only trusted personnel possess Subscriber-level or higher access, and review all user accounts for unnecessary permissions.

Generated by OpenCVE AI on April 20, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25956 The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.
History

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 04:00:00 +0000

Type Values Removed Values Added
Description The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.
Title File Manager, Code Editor, and Backup by Managefy <= 1.4.8 - Authenticated (Admin+) Path Traversal to Arbitrary File Download
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:17.967Z

Reserved: 2025-08-22T14:12:56.987Z

Link: CVE-2025-9345

cve-icon Vulnrichment

Updated: 2025-08-28T13:36:55.720Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T04:16:03.687

Modified: 2026-06-17T10:08:47.507

Link: CVE-2025-9345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')