Description
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
Published: 2026-07-06
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an unsanitized parameter that is passed directly to a shell command during image operations performed by several WordPress file manager plugins. This results in OS Command Injection, classified as CWE‑78, allowing an authenticated user with access to the plugin’s image processing features to execute arbitrary operating system commands with the permissions of the web server process. The lack of proper escaping or input validation when invoking the ImageMagick convert command is the root cause.

Affected Systems

Affected vendors include Unknown:Advanced File Manager, Unknown:File Manager, Unknown:File Manager Pro, and Unknown:FileOrganizer. The vulnerable releases are any versions prior to Advanced File Manager 5.4.12, File Organizer 1.1.9, File Manager Pro 2.1.1, and File Manager 8.0.4. These are all WordPress plugins that expose image manipulation capabilities through the web interface, and the flaw is present in all versions that do not incorporate the security fix.

Risk and Exploitability

The CVSS score of 9.1 places the issue in the critical range, while the EPSS score of less than 1% indicates a low current exploitation probability, though the potential damage is high. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authentication to the WordPress site, and the presence of the ImageMagick convert command line utility without the safe PHP imagick or GD extensions. Once accessed, an attacker could run arbitrary commands, potentially taking full control of the server.

Generated by OpenCVE AI on July 6, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected WordPress plugins to the latest versions that include the patch (Advanced File Manager 5.4.12+, File Organizer 1.1.9+, File Manager Pro 2.1.1+, and File Manager 8.0.4+).
  • Verify that the ImageMagick convert utility cannot be invoked by the web server process; if possible, remove it or restrict its execution permissions.
  • Ensure that one of the PHP imagick or GD extensions is installed and enabled so that the plugins use a safer image processing library instead of shell commands.

Generated by OpenCVE AI on July 6, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Mon, 06 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
Title Multiple elFinder Plugins - Authenticated OS Command Injection
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-06T11:59:43.823Z

Reserved: 2026-04-15T17:44:55.095Z

Link: CVE-2026-6382

cve-icon Vulnrichment

Updated: 2026-07-06T11:59:40.621Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:30:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')