WordPress Plugin Wpfilemanager 6.8 RCE

Description

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. ^OWASP

Recommendation

Update or remove the affected plugin.

References

• WordPress: File Manager
• OWASP: Command Injection
• WordPress
• CVE-2020-25213
• OWASP 2017-A9
• OWASP 2021-A6
• CWE-77
• OWASP 2017-A1
• OWASP 2021-A3
• CWE-20