Media File Manager plugin for WordPress exploited

An exploit was discovered in The Media File Manager plugin version 1.4.2 for WordPress. This vulnerability allows for directory traversal and the initiation of a remote cross site scripting (XSS) attack via the dir parameter of the mrelocator_getdir function of the file wp-admin/admin-ajax.php. A working exploit has been dislosed.

The CVE ID that was assigned to this exploit is: CVE-2018-19041

The Media File Manager plugin for WordPress helps to organize the WordPress Media Library. Uploaded files can be renamed, previewed, deleted and moved to other folders. The plugin can be utilized by administrators, authors, contributors and subscribers.



The plugin has been removed from the WordPress plugin repository. There is currently no known mitigation and it is recommended that the plugin is permanently deleted from your WordPress installation.


Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.