Exploitation Summary
CVE-2020-24312 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
mndpsingh287 WP File Manager v6.4 and lower fails to restrict external access to the fm_backups directory with a .htaccess file. This results in the ability for unauthenticated users to browse and download any site backups, which sometimes include full database backups, that the plugin has taken.
Nuclei Templates (1)
WordPress Plugin File Manager (wp-file-manager) Backup Disclosure
HIGHby x1m_martijn
References (1)
Core 1
Core References
Exploit, Third Party Advisory, URL Repurposed x_refsource_misc
https://zeroaptitude.com/zerodetail/wordpress-plugin-bug-hunting-part-1/
Scores
CVSS v3
7.5
EPSS
0.1633
EPSS Percentile
96.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-552
Status
published
Products (1)
filemanagerpro/file_manager
< 6.4
Published
Aug 26, 2020
Tracked Since
Feb 18, 2026