CVE-2025-9345 in File Manager, Code Editor, and Backup by Managefy Plugin
Summary
by MITRE • 08/28/2025
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/30/2025
The vulnerability identified as CVE-2025-9345 affects the File Manager, Code Editor, and Backup by Managefy plugin for WordPress, representing a critical path traversal flaw that undermines the security boundaries of the affected system. This vulnerability exists within the ajax_downloadfile() function and impacts all versions up to and including 1.4.8, creating a significant risk for WordPress installations that utilize this plugin. The flaw allows authenticated attackers who possess Subscriber-level access or higher to bypass intended directory restrictions and access files outside the plugin's designated operational scope.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the ajax_downloadfile() function. When processing file operations, the plugin fails to properly validate user-supplied file paths, allowing malicious actors to manipulate directory traversal sequences such as ../ or ..\ to navigate outside the intended file system boundaries. This weakness directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The vulnerability essentially permits attackers to craft malicious requests that can access arbitrary files on the server, potentially exposing sensitive data including configuration files, database credentials, and other system resources that should remain protected.
The operational impact of this vulnerability extends beyond simple unauthorized file access, as it provides attackers with the capability to perform a wide range of malicious activities within the compromised WordPress environment. An attacker with Subscriber-level access can leverage this vulnerability to download configuration files that may contain database passwords, API keys, or other sensitive credentials. The attack surface is particularly concerning because it requires only a low-privilege account to exploit, making it accessible to users who may have been granted minimal permissions for legitimate purposes such as commenting or content submission. This vulnerability can facilitate further attacks including privilege escalation, data exfiltration, and potentially complete system compromise if the attacker can access files containing system-level credentials or application secrets.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1078.004 which covers legitimate credentials and abuse of access to unauthorized systems. The path traversal vulnerability enables attackers to move laterally within the file system and potentially access files that contain sensitive information or system configurations. The low barrier to entry for exploitation makes this vulnerability particularly dangerous in environments where user accounts are not properly monitored or where default WordPress user roles are not adequately restricted. Organizations using this plugin should consider implementing network-based mitigations such as web application firewalls that can detect and block suspicious path traversal patterns in HTTP requests.
The remediation strategy for this vulnerability requires immediate patching of the Managefy plugin to version 1.4.9 or later, which contains the necessary input validation and sanitization fixes. System administrators should also implement additional security controls including regular security audits of installed plugins, monitoring for unauthorized file access attempts, and ensuring that user accounts are granted the minimum necessary permissions. The vulnerability highlights the importance of proper input validation and the principle of least privilege in web application security, particularly for plugins that handle file system operations and user access controls. Organizations should conduct comprehensive vulnerability assessments to identify other plugins that may contain similar path traversal vulnerabilities and ensure that all WordPress installations maintain up-to-date security patches to prevent exploitation of known vulnerabilities.