Vulnerability Description
The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Filemanagerpro | File Manager | 2.9 |
Related Weaknesses (CWE)
References
- http://blog.51cto.com/010bjsoft/2171087ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/1936043PatchThird Party Advisory
- https://wordpress.org/support/topic/security-concern-6/#post-10655739Third Party Advisory
- https://wpvulndb.com/vulnerabilities/9126PatchThird Party Advisory
- http://blog.51cto.com/010bjsoft/2171087ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/1936043PatchThird Party Advisory
- https://wordpress.org/support/topic/security-concern-6/#post-10655739Third Party Advisory
- https://wpvulndb.com/vulnerabilities/9126PatchThird Party Advisory
FAQ
What is CVE-2018-16363?
CVE-2018-16363 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and...
How severe is CVE-2018-16363?
CVE-2018-16363 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-16363?
Check the references section above for vendor advisories and patch information. Affected products include: Filemanagerpro File Manager.