Title: Security issues in this plugin! Last modified: August 22, 2016 --- # Security issues in this plugin! * Resolved [Joy](https://wordpress.org/support/users/joyously/) * (@joyously) * [11 years, 4 months ago](https://wordpress.org/support/topic/security-issues-in-this-plugin/) * There is a security hole in this plugin. I do not have it installed, but my 404 logs show that hackers attempt to get my config file using * `/wp-content/plugins/wp-filemanager/incl/libfile.php?path=../../&filename=wp- config.php&action=download` * Please fix this! * [https://wordpress.org/plugins/wp-filemanager/](https://wordpress.org/plugins/wp-filemanager/) Viewing 1 replies (of 1 total) * Plugin Author [anantshri](https://wordpress.org/support/users/anantshri/) * (@anantshri) * [11 years, 4 months ago](https://wordpress.org/support/topic/security-issues-in-this-plugin/#post-5719278) * Hi Joy, * thanks for reporting, this is a old vulnerability which was present in version 1.3.0 and when it was first discovered within 2 days a patch and security updated was issued. 1.4.0 which is the current version has this issue fixed already. * The “Fix of a Security Issue caused by arbitrary file download vulnerability.” Mentioned in the changelog points to this same issue. * For further proof if you look at this file here : [http://plugins.svn.wordpress.org/wp-filemanager/tags/1.4.0/incl/libfile.php](http://plugins.svn.wordpress.org/wp-filemanager/tags/1.4.0/incl/libfile.php) * it doesn’t executes as first function call is die(); * So just reiterating rest assured this issue was fixed as soon as it was spotted. although it would have been better if i would have spotted this myself but to err is human. Also the fix for the issue was posted on 2013-5-17. * The recent uptick in attack attempts is due to the fact that some wise crack has posted this old issue in some exploit place “[https://exploithub.com/catalog/product/view/id/580/”](https://exploithub.com/catalog/product/view/id/580/”); and has created a video “[https://www.youtube.com/watch?v=lVWFCUcEbZ8”](https://www.youtube.com/watch?v=lVWFCUcEbZ8”);. Here also if you look closely it referes to this entry “[http://packetstormsecurity.com/files/121637/WordPress-wp-FileManager-File-Download.html”](http://packetstormsecurity.com/files/121637/WordPress-wp-FileManager-File-Download.html”); which is dated 15 May 2013 and i have specifically commented in that reference also that the issue is fixed. * If its still available over internet i am not sure how we can push this out as updated since now the updated version is also out for more then a year, so even the laziest of the folks should have updated the plugin. * -Anant Viewing 1 replies (of 1 total) The topic ‘Security issues in this plugin!’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/wp-filemanager.svg) * [wp-FileManager](https://wordpress.org/plugins/wp-filemanager/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-filemanager/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-filemanager/) * [Active Topics](https://wordpress.org/support/plugin/wp-filemanager/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-filemanager/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-filemanager/reviews/) * 1 reply * 2 participants * Last reply from: [anantshri](https://wordpress.org/support/users/anantshri/) * Last activity: [11 years, 4 months ago](https://wordpress.org/support/topic/security-issues-in-this-plugin/#post-5719278) * Status: resolved