File Manager Pro < 1.8 - Remote Code Execution via CSRF

The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.

N/A

N/A

WordPress plugin File Manager Pro 跨站请求伪造漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin File Manager Pro 1.8 版本之前存在跨站请求伪造漏洞，该漏洞源于无法正确检查“fs_connector”AJAX 操作中的 CSRF 随机数。

N/A

N/A