CVE-2025-0818

MEDIUM 6.5

Multiple elFinder Plugins <= (Various Versions) - Directory Traversal to Arbitrary File Deletion

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.

CWE	CWE-22
Vendor	ninjateam
Product	file manager pro – filester
Published	Aug 13, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for ninjateam file manager pro – filester

Be the first to know when new medium vulnerabilities affecting ninjateam file manager pro – filester are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

ninjateam / File Manager Pro – Filester

0 ≤ 1.8.9

saadiqbal / Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution

0 ≤ 5.3.6

File Manager / File Manager Pro

0 ≤ 8.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c2a166de-3bdf-4883-91ba-655f2757c53b?source=cve github.com: https://github.com/Studio-42/elFinder plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-file-manager/trunk/lib/php/elFinder.class.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/library/php/elFinder.class.php#L5411 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/filester/trunk/includes/File_manager/lib/php/elFinder.class.php#L5378 github.com: https://github.com/Studio-42/elFinder/blob/master/php/elFinder.class.php#L5367 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3319016/filester plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3335715/file-manager-advanced/trunk/application/library/php/elFinder.class.php

Credits

Kevin Wydler