๐Ÿ” CVE Alert

CVE-2026-6382

CRITICAL 9.1

Multiple elFinder Plugins - Authenticated OS Command Injection

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

Vendor unknown
Product fileorganizer
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for unknown fileorganizer

Be the first to know when new critical vulnerabilities affecting unknown fileorganizer are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / FileOrganizer
0 < 1.1.9
Unknown / Advanced File Manager
0 < 5.4.12
Unknown / File Manager Pro
0 < 2.1.1
Unknown / File Manager
0 < 8.0.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/a27f70b7-a4cc-42fa-88c1-19adfe1593a8/

Credits

mcdruid WPScan