CVE-2026-6382 (GCVE-0-2026-6382)
Vulnerability from cvelistv5 – Published: 2026-07-06 06:00 – Updated: 2026-07-06 11:59
VLAI
Title
Multiple elFinder Plugins - Authenticated OS Command Injection
Summary
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/a27f70b7-a4cc-42… | exploitvdb-entrytechnical-description |
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | FileOrganizer |
Affected:
0 , < 1.1.9
(semver)
|
|
| Unknown | Advanced File Manager |
Affected:
0 , < 5.4.12
(semver)
|
|
| Unknown | File Manager Pro |
Affected:
0 , < 2.1.1
(semver)
|
|
| Unknown | File Manager |
Affected:
0 , < 8.0.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T11:59:11.815709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T11:59:43.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FileOrganizer",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Advanced File Manager",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.4.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "File Manager Pro",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "File Manager",
"vendor": "Unknown",
"versions": [
{
"lessThan": "8.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mcdruid"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T06:00:02.217Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/a27f70b7-a4cc-42fa-88c1-19adfe1593a8/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Multiple elFinder Plugins - Authenticated OS Command Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2026-6382",
"datePublished": "2026-07-06T06:00:02.217Z",
"dateReserved": "2026-04-15T17:44:55.095Z",
"dateUpdated": "2026-07-06T11:59:43.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-6382",
"date": "2026-07-06",
"epss": "0.00515",
"percentile": "0.40083"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-6382\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2026-07-06T08:16:36.447\",\"lastModified\":\"2026-07-06T18:37:01.220\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.\"},{\"lang\":\"es\",\"value\":\"El plugin FileOrganizer para WordPress anterior a la versi\u00f3n 1.1.9, el plugin Advanced File Manager para WordPress anterior a la versi\u00f3n 5.4.12, el plugin File Manager Pro para WordPress anterior a la versi\u00f3n 2.1.1 y el plugin File Manager para WordPress anterior a la versi\u00f3n 8.0.4 no escapan correctamente un par\u00e1metro antes de pasarlo a un comando de shell al procesar operaciones con im\u00e1genes, lo que permite a los usuarios autenticados llevar a cabo una inyecci\u00f3n de comandos del sistema operativo. Para ello, es necesario que el servidor disponga de la interfaz de l\u00ednea de comandos (CLI) de ImageMagick sin las extensiones PHP imagick ni GD.\"}],\"affected\":[{\"source\":\"contact@wpscan.com\",\"affectedData\":[{\"vendor\":\"Unknown\",\"product\":\"FileOrganizer\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"1.1.9\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Unknown\",\"product\":\"Advanced File Manager\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"5.4.12\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Unknown\",\"product\":\"File Manager Pro\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"2.1.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Unknown\",\"product\":\"File Manager\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"8.0.4\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-06T11:59:11.815709Z\",\"id\":\"CVE-2026-6382\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"references\":[{\"url\":\"https://wpscan.com/vulnerability/a27f70b7-a4cc-42fa-88c1-19adfe1593a8/\",\"source\":\"contact@wpscan.com\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81\", \"shortName\": \"WPScan\", \"dateUpdated\": \"2026-07-06T06:00:02.217Z\"}, \"title\": \"Multiple elFinder Plugins - Authenticated OS Command Injection\", \"problemTypes\": [{\"descriptions\": [{\"description\": \"CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"affected\": [{\"vendor\": \"Unknown\", \"product\": \"FileOrganizer\", \"versions\": [{\"status\": \"affected\", \"versionType\": \"semver\", \"version\": \"0\", \"lessThan\": \"1.1.9\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Unknown\", \"product\": \"Advanced File Manager\", \"versions\": [{\"status\": \"affected\", \"versionType\": \"semver\", \"version\": \"0\", \"lessThan\": \"5.4.12\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Unknown\", \"product\": \"File Manager Pro\", \"versions\": [{\"status\": \"affected\", \"versionType\": \"semver\", \"version\": \"0\", \"lessThan\": \"2.1.1\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Unknown\", \"product\": \"File Manager\", \"versions\": [{\"status\": \"affected\", \"versionType\": \"semver\", \"version\": \"0\", \"lessThan\": \"8.0.4\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.\"}], \"references\": [{\"url\": \"https://wpscan.com/vulnerability/a27f70b7-a4cc-42fa-88c1-19adfe1593a8/\", \"tags\": [\"exploit\", \"vdb-entry\", \"technical-description\"]}], \"credits\": [{\"lang\": \"en\", \"value\": \"mcdruid\", \"type\": \"finder\"}, {\"lang\": \"en\", \"value\": \"WPScan\", \"type\": \"coordinator\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"x_generator\": {\"engine\": \"WPScan CVE Generator\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6382\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-06T11:59:11.815709Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-06T11:59:40.621Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-6382\", \"assignerOrgId\": \"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"WPScan\", \"dateReserved\": \"2026-04-15T17:44:55.095Z\", \"datePublished\": \"2026-07-06T06:00:02.217Z\", \"dateUpdated\": \"2026-07-06T11:59:43.823Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…