CVE-2026-6382
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Unknown | FileOrganizer | 0 < 1.1.9 | affected |
| Unknown | Advanced File Manager | 0 < 5.4.12 | affected |
| Unknown | File Manager Pro | 0 < 2.1.1 | affected |
| Unknown | File Manager | 0 < 8.0.4 | affected |
Weaknesses
- CWE-94 Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.