Vulnerability Details CVE-2018-7204
inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for WordPress logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If a user edits the wp-config.php file using this plugin, the wp-config.php contents get added to log.txt, which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://plugins.trac.wordpress.org/changeset/1823035/file-manager
- https://wordpress.org/plugins/file-manager/#developers
- https://wpvulndb.com/vulnerabilities/9036
- https://plugins.trac.wordpress.org/changeset/1823035/file-manager
- https://wordpress.org/plugins/file-manager/#developers
- https://wpvulndb.com/vulnerabilities/9036
Products affected by CVE-2018-7204
-
cpe:2.3:a:giribaz:file_manager:1.0
-
cpe:2.3:a:giribaz:file_manager:2.0
-
cpe:2.3:a:giribaz:file_manager:2.0.1
-
cpe:2.3:a:giribaz:file_manager:2.2.0
-
cpe:2.3:a:giribaz:file_manager:2.2.1
-
cpe:2.3:a:giribaz:file_manager:2.2.2
-
cpe:2.3:a:giribaz:file_manager:2.2.3
-
cpe:2.3:a:giribaz:file_manager:2.2.4
-
cpe:2.3:a:giribaz:file_manager:3.0.0
-
cpe:2.3:a:giribaz:file_manager:4.0.4
-
cpe:2.3:a:giribaz:file_manager:4.1.0
-
cpe:2.3:a:giribaz:file_manager:4.1.1
-
cpe:2.3:a:giribaz:file_manager:4.1.2
-
cpe:2.3:a:giribaz:file_manager:4.1.3
-
cpe:2.3:a:giribaz:file_manager:4.1.4
-
cpe:2.3:a:giribaz:file_manager:4.1.6
-
cpe:2.3:a:giribaz:file_manager:5.0.0