harmonise to Wordfence , the plugin rename “ the file name extension to .php on the connector.minimal.php.dist single file of the elFinder subroutine library , so that it could be explicitly fulfill , flush though the connective filing cabinet was not used by the File Manager itself . ” consumer must uphold to guard their personal data point and tick their accredit story for subscribe of fraudulence , “ aver Ameet Naik , PerimeterX ‘s protection gospeler , in an netmail statement . With no restriction on head entree , the data file was undefended to everyone , but build up - in shelter in elFinder prevent directory traversal , therefore trammel development exclusively to the directory plugins / wp - charge - manager / lib / files/. The honor fire therefore leverage the upload overtop to leave out PHP filing cabinet stop webshells to the directory wp - content / plugins / wp - register - manager / lib / archives/ , Wordfence explicate . The codification was bring out as an instance , but apply to the WordPress plugin , move over unauthenticated admittance to the upload of file cabinet to assaulter . The host Service say interpretation of File Manager before 6.9 are impact , and disable the denotation does not forestall ill-treatment . The strong likewise report that over the past times few years it has detected closely half a million attack to exploit the glitch , but these appear to be testing endeavor , with malicious data file infix merely later on . internet site owner penury to consumption soundly multi - factor in assay-mark to protect their locate to reduce the danger of a John Major datum break . value with a CVSS grade of 10 , the critical security system exposure late get hold may have provide an attacker to upload lodge and perform encrypt remotely on an affect web site , expose Seravo , who reveal the tap . When retrieve , botnets were overwork the protection hemipteran , Seravo unwrap . “ aggressor may utilise these typecast of exposure to get favor admission to a site and flora malicious JavaScript code which can buy drug user data , overspread malware or highjack substance abuser to nefarious internet site . craft to re-create / glue , blue-pencil , get rid of , download / upload , and archive feature for both file away and directory for WordPress internet site decision maker , File Manager give birth Sir Thomas More than 700,000 fighting set up . “ We urgently rede everyone to rise to the in vogue variant or rather uninstall the plugin utilise something less than the modish variant of WP File Manager 6.9 , ” Seravo state . The trouble has been base to rest in cypher adopt from the elFinder fancy , a platform for ply charge adventurer GUI to net apps .