Platform
wordpress
Component
file-manager-code-editor-backup
Fixed in
1.4.9
CVE-2025-9345 is a Path Traversal vulnerability affecting the File Manager, Code Editor, and Backup by Managefy plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access or higher to potentially access sensitive files outside of the intended directory. Versions affected are 0 through 1.4.8. A patch is available to resolve this issue.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive files on the server. This could include configuration files, database credentials, or other confidential data. The ability to read arbitrary files could lead to further compromise of the WordPress installation and potentially the entire server. While requiring authentication, the relatively low privilege level (Subscriber) makes this vulnerability accessible to a significant portion of WordPress users. The impact is amplified if the server hosts multiple WordPress sites or if the plugin is used to manage backups containing sensitive data.
This vulnerability was publicly disclosed on 2025-08-28. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The relatively low CVSS score suggests a lower probability of exploitation compared to more critical vulnerabilities, but the ease of exploitation given authenticated access warrants attention.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Managefy plugin to a patched version. The vendor has not specified a fixed version, but it is recommended to check their website or WordPress plugin repository for the latest release. As a temporary workaround, restrict file permissions on the WordPress server to limit the attacker's ability to access files outside the plugin's intended directory. Consider implementing a Web Application Firewall (WAF) with rules to block requests containing path traversal attempts (e.g., ../). After upgrading, verify the fix by attempting to access a file outside the intended directory via the plugin's AJAX download functionality; access should be denied.
Update the File Manager, Code Editor, and Backup by Managefy plugin to the latest available version to resolve the Path Traversal vulnerability. Check for updates in the WordPress plugin repository or on the developer's website. Ensure you back up your website before updating any plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9345 is a Path Traversal vulnerability in the Managefy WordPress plugin, allowing authenticated users to access files outside the intended directory.
You are affected if you are using the Managefy plugin versions 0 through 1.4.8 and have authenticated users with Subscriber-level access or higher.
Upgrade the Managefy plugin to the latest available version. Check the Managefy website or WordPress plugin repository for the patched version.
There are currently no known public exploits or active campaigns targeting CVE-2025-9345, but it is recommended to apply the patch as soon as possible.
Check the Managefy website or the WordPress plugin repository for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.