CVE-2026-6382
Multiple elFinder Plugins - Authenticated OS Command Injection
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
| Vendor | unknown |
| Product | fileorganizer |
| Published | Jul 6, 2026 |
| Last Updated | Jul 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown fileorganizer
Be the first to know when new critical vulnerabilities affecting unknown fileorganizer are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / FileOrganizer
0 < 1.1.9
Unknown / Advanced File Manager
0 < 5.4.12
Unknown / File Manager Pro
0 < 2.1.1
Unknown / File Manager
0 < 8.0.4
References
Credits
mcdruid WPScan