Title: SECURITY VULNERABILITY! Last modified: October 25, 2023 --- # SECURITY VULNERABILITY! * Resolved [jmar](https://wordpress.org/support/users/jmar1/) * (@jmar1) * [2 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-95/) * this file manager uses “elFinder” as its core component for file management. * /wp-file-manager/lib/js/elfinder.min.js * Version 2.1.49 (2019-04-14) * at “www.cvedetails.com” search “elFinder” * at “github.com” search “Studio-42/elFinder” * CVE-2023-35840 _joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector. In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload. * CVE-2022-27115 In Studio-42 elFinder 2.1.60, there is a vulnerability that causes remote code execution through file name bypass for file upload. * CVE-2022-26960 connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths. * CVE-2021-43421 A File Upload vulnerability exists in Studio-42 elFinder 2.0.4 to 2.1.59 via connector.minimal.php, which allows a remote malicious user to upload arbitrary files and execute PHP code. * CVE-2021-23394 The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP. - This topic was modified 2 years, 7 months ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). - This topic was modified 2 years, 7 months ago by [jmar](https://wordpress.org/support/users/jmar1/). Viewing 2 replies - 1 through 2 (of 2 total) * Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/) * (@sterndata) * Volunteer Forum Moderator * [2 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-95/#post-17150967) * Moderator note: This is not a review; it’s a support request and has been moved to that section of this plugin’s area. * [file manager support](https://wordpress.org/support/users/filemanagersupport/) * (@filemanagersupport) * [2 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-95/#post-17152805) * Hi [@jmar1](https://wordpress.org/support/users/jmar1/), Thanks for bringing this to our attention. We really appreciate your effort and vigilance. * After conducting a thorough investigation and identifying the security issues you mentioned in your message, We are pleased to announce that these vulnerabilities have been addressed and will be releasing a full update tomorrow to ensure that these concerns are fully resolved. * We want to assure you that the security and integrity of your data is of utmost importance to us, and we take these matters extremely seriously. An update with these security fixes will be released tomorrow. If you have any further questions or concerns, please do not hesitate to contact our support team. Thank you again for your hard work in reporting these vulnerabilities. RegardsWP File Manager Support Team Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘SECURITY VULNERABILITY!’ is closed to new replies. * ![](https://ps.w.org/wp-file-manager/assets/icon-128x128.png?rev=2491299) * [File Manager](https://wordpress.org/plugins/wp-file-manager/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-file-manager/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-file-manager/) * [Active Topics](https://wordpress.org/support/plugin/wp-file-manager/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-file-manager/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-file-manager/reviews/) * 3 replies * 3 participants * Last reply from: [file manager support](https://wordpress.org/support/users/filemanagersupport/) * Last activity: [2 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-95/#post-17152805) * Status: resolved