Impact
The vulnerability arises from an unsanitized parameter that is passed directly to a shell command during image operations performed by several WordPress file manager plugins. This results in OS Command Injection, classified as CWE‑78, allowing an authenticated user with access to the plugin’s image processing features to execute arbitrary operating system commands with the permissions of the web server process. The lack of proper escaping or input validation when invoking the ImageMagick convert command is the root cause.
Affected Systems
Affected vendors include Unknown:Advanced File Manager, Unknown:File Manager, Unknown:File Manager Pro, and Unknown:FileOrganizer. The vulnerable releases are any versions prior to Advanced File Manager 5.4.12, File Organizer 1.1.9, File Manager Pro 2.1.1, and File Manager 8.0.4. These are all WordPress plugins that expose image manipulation capabilities through the web interface, and the flaw is present in all versions that do not incorporate the security fix.
Risk and Exploitability
The CVSS score of 9.1 places the issue in the critical range, while the EPSS score of less than 1% indicates a low current exploitation probability, though the potential damage is high. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authentication to the WordPress site, and the presence of the ImageMagick convert command line utility without the safe PHP imagick or GD extensions. Once accessed, an attacker could run arbitrary commands, potentially taking full control of the server.
OpenCVE Enrichment