cvedb.io
CVE-2022-0403
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2022-04-04T16:15:09.043 · Last modified 2026-06-17T04:20:32.440

Summary

The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.

Affected products

wpjos — library_file_manager

Does this affect you?

Add your gear to cvedb and we'll alert you only when wpjos ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.