CVE-2025-9345

MEDIUM

Managefy plugin <1.4.8 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-9345. PoCs published by NagisaYumaa.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-9345, a path traversal vulnerability in the 'File Manager, Code Editor, and Backup by Managefy' WordPress plugin. The vulnerability allows authenticated users with low privileges to download arbitrary files due to insufficient sanitization of the 'flm_file' parameter.

Description

The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.

Exploits (1)

nomisec WRITEUP

by NagisaYumaa · poc

https://github.com/NagisaYumaa/CVE-2025-9345

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-9345, a path traversal vulnerability in the 'File Manager, Code Editor, and Backup by Managefy' WordPress plugin. The vulnerability allows authenticated users with low privileges to download arbitrary files due to insufficient sanitization of the 'flm_file' parameter.

Classification

Writeup 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: File Manager, Code Editor, and Backup by Managefy (WordPress plugin)

Auth required

Prerequisites: Authenticated access to WordPress with Subscriber+ privileges · Burp Suite or similar tool for request interception

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3350045%40softdiscover-db-file-manager&new=3350045%40softdiscover-db-file-manager&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f53cf99e-3136-4a1d-bbbd-ff484f1df5c3?source=cve

Scores

CVSS v3 4.9

EPSS 0.0046

EPSS Percentile 36.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

softdiscover/File Manager, Code Editor, and Backup by Managefy < 1.4.8

Published Aug 28, 2025

Tracked Since Feb 18, 2026