An exploit was discovered in The Media File Manager plugin version 1.4.2 for WordPress. This vulnerability allows for directory traversal and the initiation of a remote cross site scripting (XSS) attack via the dir parameter of the
mrelocator_getdir function of the file
wp-admin/admin-ajax.php. A working exploit has been dislosed.
The CVE ID that was assigned to this exploit is: CVE-2018-19041
The Media File Manager plugin for WordPress helps to organize the WordPress Media Library. Uploaded files can be renamed, previewed, deleted and moved to other folders. The plugin can be utilized by administrators, authors, contributors and subscribers.
The plugin has been removed from the WordPress plugin repository. There is currently no known mitigation and it is recommended that the plugin is permanently deleted from your WordPress installation.