File Manager Vulnerability – Authenticated Directory Traversal – CVE-2024-2654 | WordPress Plugin Vulnerability Report

Plugin Name: File Manager

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-file-manager
  • Software Status: Active
  • Software Author: mndpsingh287
  • Software Downloads: 21,240,440
  • Active Installs: 1,000,000
  • Last Updated: April 3, 2024
  • Patched Versions: 7.2.6
  • Affected Versions: <= 7.2.5

Vulnerability Details:

  • Name: File Manager <= 7.2.5
  • Title: Authenticated (Administrator+) Directory Traversal
  • Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
  • CVE: CVE-2024-2654
  • CVSS Score: 6.4
  • Publicly Published: April 3, 2024
  • Researcher: DarkT
  • Description: The File Manager plugin, integral to WordPress for managing files directly from the dashboard, has been discovered to have a critical Directory Traversal vulnerability in versions up to and including 7.2.5. This flaw, specifically within the fm_download_backup function, allows authenticated users with administrative privileges to access arbitrary zip files on the server, potentially exposing sensitive data.


The File Manager plugin, a popular tool among WordPress users for file management, is currently under scrutiny due to a vulnerability identified in versions up to 7.2.5. CVE-2024-2654, as it is known, enables authenticated administrators to exploit the plugin's backup download functionality, leading to possible Directory Traversal attacks. This vulnerability has been addressed in the newly released patch, version 7.2.6.

Detailed Overview:

Research conducted by DarkT unveiled this significant security concern, shedding light on the potential risks associated with inadequate function restrictions within the plugin. Directory Traversal attacks such as this could allow malicious actors to navigate the server's directory structure, accessing or manipulating files outside of the intended directories. The prompt release of version 7.2.6 by the plugin developers aims to fortify the plugin against such vulnerabilities, ensuring the security of WordPress sites using File Manager.

Advice for Users:

  • Immediate Action: Users of the File Manager plugin are strongly encouraged to update to version 7.2.6 immediately to safeguard their sites against this vulnerability.
  • Check for Signs of Vulnerability: Site administrators should monitor server logs and file access patterns for unusual activities that might indicate exploitation attempts.
  • Alternate Plugins: While the patch resolves the immediate threat, users may consider evaluating other file management plugins, particularly those with a robust track record of security and frequent updates.
  • Stay Updated: The dynamic nature of web security underscores the importance of regular updates to plugins, themes, and the WordPress core itself.


The resolution of CVE-2024-2654 in the File Manager plugin highlights the critical role of ongoing vigilance and timely updates in the realm of web security. For WordPress site operators, particularly small business owners who often manage their digital presence alongside myriad other responsibilities, this incident serves as a poignant reminder of the imperative to maintain an up-to-date and secure online infrastructure. In an era where digital threats are ever-present and evolving, the commitment to proactive security practices is indispensable in safeguarding the integrity and trustworthiness of your online presence.


Detailed Report: 

In today’s digital era, the security of a website is paramount, particularly for small business owners leveraging platforms like WordPress. This notion is starkly underscored by the recent discovery of a critical vulnerability in the File Manager plugin, a tool indispensable for managing files within WordPress. Identified as CVE-2024-2654, this vulnerability presents a stark reminder of the constant vigilance required to maintain web security and the essential nature of timely software updates.

Plugin Overview:

File Manager, developed by mndpsingh287, is a widely used WordPress plugin with over 1 million active installations. It facilitates direct file management from the WordPress dashboard, enhancing efficiency and user experience. Despite its utility, the plugin was found to have a Directory Traversal vulnerability in versions up to 7.2.5, which could allow authenticated users with administrative rights to access sensitive files on the server.

Vulnerability Details:

CVE-2024-2654, discovered by researcher DarkT, involves a Directory Traversal flaw within the fm_download_backup function of the plugin. This vulnerability allows attackers to read arbitrary zip files, potentially leading to sensitive information exposure. This issue was addressed and patched in version 7.2.6 of the plugin.

Risks and Impacts:

The exploitation of this vulnerability could have severe implications, from data breaches to the exposure of personally identifiable information (PII). For businesses, this not only risks their operational integrity but can also severely damage customer trust and brand reputation.

Remediation and User Advice:

To mitigate the risks associated with CVE-2024-2654, users must promptly update their File Manager plugin to version 7.2.6. Additionally, administrators should monitor server logs and file access patterns for any signs of unauthorized activities, which might indicate exploitation attempts. While the patched version addresses this specific threat, exploring alternative file management solutions with a strong security track record could offer an additional layer of security.

Previous Vulnerabilities:

The File Manager plugin has had 11 documented vulnerabilities since September 6, 2018. This history emphasizes the importance of regular security audits and updates to protect against emerging threats.


The swift resolution of CVE-2024-2654 in the File Manager plugin underscores the critical role of proactive security measures in the digital landscape. For small business owners, the incident highlights the dual necessity of relying on reputable plugins and maintaining a stringent update schedule. In a world where cyber threats continually evolve, the commitment to regular maintenance and updates is indispensable in safeguarding the integrity and trustworthiness of your online presence. Remember, the security of your WordPress site is not just a technical issue; it's a foundational element of your business's digital trust and reliability.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

File Manager Vulnerability – Authenticated Directory Traversal – CVE-2024-2654 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment