Vulnerabilities > Webdesi9
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-02-05 | CVE-2024-0761 | Use of Insufficiently Random Values vulnerability in Webdesi9 File Manager The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. | 7.5 |
2021-04-05 | CVE-2021-24177 | Cross-site Scripting vulnerability in Webdesi9 File Manager In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. | 3.5 |
2020-09-09 | CVE-2020-25213 | Unrestricted Upload of File with Dangerous Type vulnerability in Webdesi9 File Manager The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. | 7.5 |
2020-08-26 | CVE-2020-24312 | Files or Directories Accessible to External Parties vulnerability in Webdesi9 File Manager mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. | 7.5 |
2019-04-15 | CVE-2018-16967 | Cross-site Scripting vulnerability in Webdesi9 File Manager 3.0 There is an XSS vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. | 6.1 |
2019-04-15 | CVE-2018-16966 | Cross-Site Request Forgery (CSRF) vulnerability in Webdesi9 File Manager 3.0 There is a CSRF vulnerability in the mndpsingh287 File Manager plugin 3.0 for WordPress via the page=wp_file_manager_root public_path parameter. | 8.8 |
2018-09-07 | CVE-2018-16363 | Cross-site Scripting vulnerability in Webdesi9 File Manager 2.9 The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php. | 3.5 |
2017-12-19 | CVE-2017-17744 | Cross-site Scripting vulnerability in Webdesi9 Custom MAP 1.0/1.0.1/1.1 A cross-site scripting (XSS) vulnerability in the custom-map plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_id parameter to view/advancedsettings.php. | 4.3 |