Home Latest Cyber Security News | Network Security Hacking Multiple Vulnerabilities Spotted In elFinder File Manager WordPress Plugin
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Multiple Vulnerabilities Spotted In elFinder File Manager WordPress Plugin

by Abeerah Hashim
written by Abeerah Hashim
elfinder file manager vulnerabilities

Numerous critical security vulnerabilities riddled the file manager plugin elFinder. Exploiting these bugs could allow an adversary to take control of the underlying server and access the data. Since the vendors have patched the flaws, users must ensure updating their sites at the earliest.

elFinder File Manager Plugin Vulnerabilities

Researchers from SonarSource have recently elaborated on the vulnerabilities in the elFinder file manager plugin.

elFinder is a typical web file manager plugin for CMS and frameworks. It’s an open-source resource allowing easy management of local and remote files.

Specifically, the researchers found five different critical security flaws in the plugin. All of them have received the same CVE number CVE-2021-32682. Exploiting the bugs could allow an adversary to execute arbitrary PHP codes on the server with vulnerable elFinder.

Without requiring authentication, the adversary could delete, move, or upload arbitrary files via these vulnerabilities. Also, exploiting the flaws could lead to race condition and argument injection.

Technical details of these vulnerabilities are available in the researchers’ post.

Patches Released

Upon discovering the bugs in March 2021, the researchers contacted the developers to report the matter. Eventually, the developers released fixes for all the vulnerabilities with the release of elFinder 2.1.59. The changes are also evident from the changelog on GitHub.

Commenting about the vulnerabilities, the researchers stated,

There is no doubt these vulnerabilities will also be exploited in the wild, because exploits targeting old versions have been publicly released and the connectors filenames are part of compilations of paths to look for when trying to compromise websites.

Given the severity of the bugs, if exploited in the wild, and the ease of exploitation, the researchers urge all users to update to the latest patched version at the earliest.

We urge you to immediately upgrade to elFinder 2.1.59. We also advise enforcing strong access control on the connector (e.g. basic access authentication).

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Multiple Vulnerabilities Found In Forminator WordPress Plugin

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...