プラットフォーム
wordpress
コンポーネント
file-manager-code-editor-backup
修正版
1.4.9
CVE-2025-9345 is a Path Traversal vulnerability affecting the File Manager, Code Editor, and Backup by Managefy plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access or higher to potentially access sensitive files outside of the intended directory. Versions affected are 0 through 1.4.8. A patch is available to resolve this issue.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive files on the server. This could include configuration files, database credentials, or other confidential data. The ability to read arbitrary files could lead to further compromise of the WordPress installation and potentially the entire server. While requiring authentication, the relatively low privilege level (Subscriber) makes this vulnerability accessible to a significant portion of WordPress users. The impact is amplified if the server hosts multiple WordPress sites or if the plugin is used to manage backups containing sensitive data.
This vulnerability was publicly disclosed on 2025-08-28. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The relatively low CVSS score suggests a lower probability of exploitation compared to more critical vulnerabilities, but the ease of exploitation given authenticated access warrants attention.
WordPress websites using the File Manager, Code Editor, and Backup by Managefy plugin, particularly those with Subscriber-level users who have access to the plugin's file management features. Shared hosting environments where users have limited control over file permissions are also at increased risk.
• wordpress / composer / npm:
grep -r "ajax_downloadfile()" /var/www/html/wp-content/plugins/managefy/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/managefy/ajax_downloadfile.php?file=../../../../etc/passwd' # Attempt path traversaldisclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade the Managefy plugin to a patched version. The vendor has not specified a fixed version, but it is recommended to check their website or WordPress plugin repository for the latest release. As a temporary workaround, restrict file permissions on the WordPress server to limit the attacker's ability to access files outside the plugin's intended directory. Consider implementing a Web Application Firewall (WAF) with rules to block requests containing path traversal attempts (e.g., ../). After upgrading, verify the fix by attempting to access a file outside the intended directory via the plugin's AJAX download functionality; access should be denied.
Actualice el plugin File Manager, Code Editor, and Backup by Managefy a la última versión disponible para solucionar la vulnerabilidad de Path Traversal. Verifique las actualizaciones disponibles en el repositorio de plugins de WordPress o en el sitio web del desarrollador. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-9345 is a Path Traversal vulnerability in the Managefy WordPress plugin, allowing authenticated users to access files outside the intended directory.
You are affected if you are using the Managefy plugin versions 0 through 1.4.8 and have authenticated users with Subscriber-level access or higher.
Upgrade the Managefy plugin to the latest available version. Check the Managefy website or WordPress plugin repository for the patched version.
There are currently no known public exploits or active campaigns targeting CVE-2025-9345, but it is recommended to apply the patch as soon as possible.
Check the Managefy website or the WordPress plugin repository for the official advisory and patch information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。