WP-Safety

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution Security & Risk Analysis

wordpress.org/plugins/file-manager-advanced

Use Advanced File Manager to manage WordPress files, create archives, and build document libraries—all directly from your WordPress dashboard!

100K active installs v5.4.10 PHP 7.0+ WP 4.0+ Updated Mar 11, 2026
advance-file-managerdocument-managementfile-managerftpwp-file-manager
90
A · Safe
CVEs total9
Unpatched0
Last CVEMay 7, 2025
Plugin page Download
Safety Verdict

Is Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution Safe to Use in 2026?

Generally Safe

Score 90/100

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: May 7, 2025Updated 23d ago
Risk Assessment

The "file-manager-advanced" plugin v5.4.10 exhibits a mixed security posture. While it demonstrates several good security practices, including a complete absence of unprotected entry points (AJAX handlers, REST API routes, shortcodes, cron events) and a relatively high percentage of SQL queries using prepared statements and properly escaped outputs, significant concerns remain.

The static analysis reveals a substantial number of dangerous functions present in the codebase, including those that can lead to arbitrary code execution (exec, passthru, shell_exec) and deserialization vulnerabilities (unserialize, assert). Coupled with the taint analysis indicating multiple flows with unsanitized paths, including three critical severity issues, this points to a high risk of potential code execution and path traversal vulnerabilities if these flows are triggered by user input without proper sanitization or access control.

The plugin's vulnerability history is also a significant red flag. With a total of 9 known CVEs, predominantly categorized as High and Medium severity, and common types including missing authorization, cross-site scripting, and path traversal, it indicates a recurring pattern of security weaknesses. Although there are currently no unpatched CVEs, the historical prevalence of these vulnerability types suggests that the plugin may have systemic issues in handling user input and enforcing access controls. The most recent vulnerability in May 2025 further underscores the ongoing need for vigilance. In conclusion, while the plugin has made efforts in securing its entry points and core database operations, the presence of dangerous functions, critical taint flows, and a history of severe vulnerabilities necessitate a cautious approach and further investigation into the specific risks identified.

Key Concerns

  • Critical severity taint flows with unsanitized paths
  • Presence of dangerous functions like exec, passthru, shell_exec
  • 5 flows with unsanitized paths found
  • 9 known CVEs with 5 high and 4 medium severity
  • Bundled outdated jQuery v1.12.4
  • Bundled outdated Freemius v1.0
  • 319 file operations, potential for insecure handling
  • Only 76% of outputs properly escaped
Vulnerabilities
9

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
5 CVEs in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
5
Medium
4

9 total CVEs

CVE-2025-47688medium · 5.3Missing Authorization

Advanced File Manager <= 5.3.1 - Missing Authorization to Notice Dismisaal

May 7, 2025 Patched in 5.3.2 (8d)
CVE-2024-13805medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Advanced File Manager <= 5.2.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload

Mar 6, 2025 Patched in 5.3.0 (1d)
CVE-2024-13333high · 7.5Unrestricted Upload of File with Dangerous Type

Advanced File Manager 5.2.12 - 5.2.13 - Authenticated (Subscriber+) Arbitrary File Upload

Jan 16, 2025 Patched in 5.2.14 (1d)
CVE-2024-11391high · 7.5Unrestricted Upload of File with Dangerous Type

Advanced File Manager <= 5.2.10 - Authenticated (Subscriber+) Arbitrary File Upload

Dec 2, 2024 Patched in 5.2.11 (2d)
CVE-2024-8704high · 7.2Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Advanced File Manager <= 5.2.8 - Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale

Sep 25, 2024 Patched in 5.2.9 (1d)
CVE-2024-8126high · 7.5Unrestricted Upload of File with Dangerous Type

Advanced File Manager <= 5.2.8 - Authenticated (Subscriber+) Arbitrary File Upload

Sep 25, 2024 Patched in 5.2.9 (1d)
CVE-2024-8725medium · 6.8Unrestricted Upload of File with Dangerous Type

Advanced File Manager <= 5.2.8 - Authenticated (Subscriber+) Limited File Upload

Sep 25, 2024 Patched in 5.2.9 (1d)
CVE-2024-5598high · 7.5Insecure Storage of Sensitive Information

Advanced File Manager <= 5.2.4 - Sensitive Information Exposure via Directory Listing

Jun 28, 2024 Patched in 5.2.5 (1d)
CVE-2023-3814medium · 6.6Improper Access Control

Advanced File Manager <= 5.1 - Authenticated (Administrator+) Arbitrary File and Folder Access

Aug 14, 2023 Patched in 5.1.1 (332d)
Code Analysis
Analyzed Mar 16, 2026

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution Code Analysis

Dangerous Functions
55
Raw SQL Queries
21
42 prepared
Unescaped Output
49
159 escaped
Nonce Checks
9
Capability Checks
11
File Operations
319
External Requests
9
Bundled Libraries
4

Dangerous Functions Found

exec$exec_result = exec( $command, $output, $return_code );application\class_fma_debug_validator.php:109
execexec( $this->php_path . ' -v', $version_output );application\class_fma_debug_validator.php:117
execreturn exec($command, $output, $result_code);application\library\exec-with-fallback\src\ExecWithFallback.php:111
execreturn exec($command, $output, $result_code);application\library\exec-with-fallback\src\ExecWithFallbackNoMercy.php:52
passthrupassthru($command, $result_code);application\library\exec-with-fallback\src\Passthru.php:28
passthrupassthru($command, $result_code);application\library\exec-with-fallback\src\Passthru.php:31
passthrupassthru($command, $result_code);application\library\exec-with-fallback\src\Passthru.php:34
popen$handle = @popen($command, "r");application\library\exec-with-fallback\src\POpen.php:26
proc_open$processHandle = proc_open($command, $descriptorspec, $pipes, $cwd);application\library\exec-with-fallback\src\ProcOpen.php:33
shell_exec$result = shell_exec($command);application\library\exec-with-fallback\src\ShellExec.php:30
unserialize$data = unserialize(base64_decode($var));application\library\php\elFinder.class.php:4793
proc_open$process = proc_open($command, $descriptorspec, $pipes, $cwd, null);application\library\php\elFinder.class.php:5284
unserialize$data = unserialize($data);application\library\php\elFinderSession.php:206
execexec('rd /S /Q ' . escapeshellarg($dir), $o, $r);application\library\php\elFinderVolumeDriver.class.php:7129
execexec('del /F /Q ' . escapeshellarg($dir), $o, $r);application\library\php\elFinderVolumeDriver.class.php:7131
execexec('rm -rf ' . escapeshellarg($dir), $o, $r);application\library\php\elFinderVolumeDriver.class.php:7134
unserializereturn unserialize($res[0]);application\library\php\elFinderVolumeDropbox.class.php:475
unserialize$chk = unserialize($chk[0]);application\library\php\elFinderVolumeDropbox.class.php:516
unserialize$res = unserialize($res[0]);application\library\php\elFinderVolumeDropbox.class.php:527
unserialize$raw = unserialize($raw);application\library\php\elFinderVolumeDropbox.class.php:658
unserialize$raw = unserialize($raw);application\library\php\elFinderVolumeDropbox.class.php:701
unserializereturn unserialize($serializedString);application\svg-sanitizer\includes\doctrine\instantiator\src\Doctrine\Instantiator\Instantiator.php:136
unserializeunserialize($serializedString);application\svg-sanitizer\includes\doctrine\instantiator\src\Doctrine\Instantiator\Instantiator.php:211
assertassert($expectedAttribute instanceof DOMAttr);application\svg-sanitizer\includes\phpunit\phpunit\src\Framework\Assert.php:2900
assertassert($step['object'] instanceof TestCase);application\svg-sanitizer\includes\phpunit\phpunit\src\Framework\Assert.php:3623
assertassert($matcher instanceof self);application\svg-sanitizer\includes\phpunit\phpunit\src\Framework\MockObject\Matcher.php:132
assertassert($matcher instanceof self);application\svg-sanitizer\includes\phpunit\phpunit\src\Framework\MockObject\Matcher.php:184
assertassert($_test instanceof TestCase);application\svg-sanitizer\includes\phpunit\phpunit\src\Framework\TestBuilder.php:165
assertassert($methodProphecy instanceof MethodProphecy);application\svg-sanitizer\includes\phpunit\phpunit\src\Framework\TestCase.php:2091
assertassert($current instanceof TestSuite);application\svg-sanitizer\includes\phpunit\phpunit\src\Framework\TestSuiteIterator.php:76
assertassert(isset($data['defects']) && is_array($data['defects']));application\svg-sanitizer\includes\phpunit\phpunit\src\Runner\DefaultTestResultCache.php:125
assertassert(isset($data['times']) && is_array($data['times']));application\svg-sanitizer\includes\phpunit\phpunit\src\Runner\DefaultTestResultCache.php:126
unserialize$coverage = @unserialize($buffer);application\svg-sanitizer\includes\phpunit\phpunit\src\Runner\PhptTestCase.php:620
assertassert($object instanceof TestSuiteLoader);application\svg-sanitizer\includes\phpunit\phpunit\src\TextUI\Command.php:1030
assertassert($this->printer instanceof CliTestDoxPrinter);application\svg-sanitizer\includes\phpunit\phpunit\src\TextUI\TestRunner.php:313
assertassert($extensionObject instanceof Hook);application\svg-sanitizer\includes\phpunit\phpunit\src\TextUI\TestRunner.php:1097
assertassert($log instanceof DOMElement);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:276
assertassert($includePath instanceof DOMNode);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:350
assertassert($ini instanceof DOMElement);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:360
assertassert($const instanceof DOMElement);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:369
assertassert($var instanceof DOMElement);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:379
assertassert($directoryNode instanceof DOMElement);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:1011
assertassert($fileNode instanceof DOMElement);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:1038
assertassert($directoryNode instanceof DOMElement);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:1122
assertassert($file instanceof DOMNode);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:1149
assertassert($group instanceof DOMNode);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:1207
assertassert($group instanceof DOMNode);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Configuration.php:1213
unserialize$childResult = unserialize(str_replace("#!/usr/bin/env php\n", '', $stdout));application\svg-sanitizer\includes\phpunit\phpunit\src\Util\PHP\AbstractPhpProcess.php:300
assertassert($childResult instanceof TestResult);application\svg-sanitizer\includes\phpunit\phpunit\src\Util\PHP\AbstractPhpProcess.php:332
proc_open$process = proc_open(application\svg-sanitizer\includes\phpunit\phpunit\src\Util\PHP\DefaultPhpProcess.php:99
assertassert(is_resource($this->out));application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Printer.php:99
assertassert(is_resource($this->out));application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Printer.php:115
assertassert(is_resource($this->out));application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Printer.php:126
assertassert(class_exists($className));application\svg-sanitizer\includes\phpunit\phpunit\src\Util\Xml.php:243
proc_open$process = proc_open(application\svg-sanitizer\includes\sebastian\version\src\Version.php:82

Bundled Libraries

Select2TinyMCEjQuery1.12.4Freemius1.0

SQL Query Safety

67% prepared63 total queries

Output Escaping

76% escaped208 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

7 flows5 with unsanitized paths
callback (application\library\php\elFinder.class.php:4144)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution Attack Surface

Entry Points8
Unprotected0

AJAX Handlers 7

authwp_ajax_fma_load_fma_uiapplication\class_fma_main.php:39
authwp_ajax_fma_review_ajaxapplication\class_fma_main.php:40
authwp_ajax_fma_save_php_fileapplication\class_fma_main.php:41
authwp_ajax_fma_debug_phpapplication\class_fma_main.php:42
authwp_ajax_fma_hide_appsumo_bannerapplication\class_fma_main.php:43
authwp_ajax_post_smtp_requestapplication\post-smtp-notice\recommend-post-smtp-base.php:41
noprivwp_ajax_post_smtp_requestapplication\post-smtp-notice\recommend-post-smtp-base.php:42

REST API Routes 1

POST/wp-json/recommend-post-smtp/requestapplication\post-smtp-notice\recommend-post-smtp-admin-notice.php:209
WordPress Hooks 34
actionfma__settings_tab_notifications_contentapplication\class_fma_admin_menus.php:20
actionfma__settings_tab_ai_contentapplication\class_fma_admin_menus.php:22
filterfs_is_submenu_visible_file-manager-advancedapplication\class_fma_admin_menus.php:25
actionadmin_menuapplication\class_fma_admin_menus.php:28
actionadmin_headapplication\class_fma_admin_menus.php:350
actioninitapplication\class_fma_blocks.php:23
actionadd_meta_boxesapplication\class_fma_blocks.php:26
actionsave_postapplication\class_fma_blocks.php:29
actionadmin_menuapplication\class_fma_blocks.php:33
actionadmin_enqueue_scriptsapplication\class_fma_blocks.php:36
actionadmin_footerapplication\class_fma_blocks.php:40
filtermanage_fma_blocks_posts_columnsapplication\class_fma_blocks.php:41
actionmanage_fma_blocks_posts_custom_columnapplication\class_fma_blocks.php:42
actionadmin_menuapplication\class_fma_main.php:37
actionadmin_enqueue_scriptsapplication\class_fma_main.php:38
actionadmin_initapplication\class_fma_main.php:46
actioninitapplication\class_fma_main.php:48
filterfma__settings_tabsapplication\class_fma_main.php:442
actionfma__settings_tab_smtp_contentapplication\class_fma_main.php:444
filterfma__opts_overrideapplication\logs\class-filelogs.php:37
actionadmin_initapplication\logs\class-filelogs.php:38
actionadmin_enqueue_scriptsapplication\post-smtp-notice\recommend-post-smtp-admin-notice.php:52
actionadmin_headapplication\post-smtp-notice\recommend-post-smtp-admin-notice.php:53
actionadmin_noticesapplication\post-smtp-notice\recommend-post-smtp-admin-notice.php:54
actionadmin_post_hide-post-smtp-recommendation-noticeapplication\post-smtp-notice\recommend-post-smtp-admin-notice.php:55
actionrest_api_initapplication\post-smtp-notice\recommend-post-smtp-admin-notice.php:56
actionrest_api_initapplication\post-smtp-notice\recommend-post-smtp-base.php:38
actionadmin_enqueue_scriptsapplication\post-smtp-notice\recommend-post-smtp-base.php:45
actionadmin_headapplication\post-smtp-notice\recommend-post-smtp-base.php:46
actionadmin_menuapplication\post-smtp-notice\recommend-post-smtp-base.php:58
actionadmin_menuapplication\post-smtp-notice\recommend-post-smtp-base.php:62
actionrest_api_initapplication\rest-api\class-fma-controller.php:38
actionfs_after_uninstall_file-manager-advancedfile_manager_advanced.php:78
actionplugins_loadedfile_manager_advanced.php:161
Maintenance & Trust

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version7.0
Downloads5.7M

Community Trust

Rating96/100
Number of ratings432
Active installs100K
Alternatives

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution Alternatives

File Manager

File Manager

wp-file-manager

A
87

file manager provides you ability to edit, delete, upload, download, copy and paste files and folders.

1.0M 12 CVEs
Download Manager

Download Manager

download-manager

B
76

This File Management & Digital Store plugin will help you to control file downloads & sell digital products from your WP site.

100K 74 CVEs
File Manager Pro – Filester

File Manager Pro – Filester

filester

A
91

Advanced File Manager and Code Editor. Best WordPress file manager without FTP access. No need to upgrade because this is PRO version.

100K 9 CVEs
Download Manager Addons for Elementor

Download Manager Addons for Elementor

wpdm-elementor

A
97

Download Manager Addons for Elementor

7K 1 CVE
Document Library Lite

Document Library Lite

document-library-lite

A
96

Create a WordPress document library to manage, search and download files.

4K 3 CVEs
Developer Profile

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution Developer Profile

Saad Iqbal

84 plugins · 1.4M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
287 days
View full developer profile
Detection Fingerprints

How We Detect Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/file-manager-advanced/css/editor.css/wp-content/plugins/file-manager-advanced/css/style.css/wp-content/plugins/file-manager-advanced/css/theme.css/wp-content/plugins/file-manager-advanced/js/clipboard.min.js/wp-content/plugins/file-manager-advanced/js/elfinder/js/elfinder.min.js/wp-content/plugins/file-manager-advanced/js/elfinder/themes/material/theme.js/wp-content/plugins/file-manager-advanced/js/frontend.js/wp-content/plugins/file-manager-advanced/js/jquery-ui.min.js+4 more
Script Paths
/wp-content/plugins/file-manager-advanced/js/clipboard.min.js/wp-content/plugins/file-manager-advanced/js/elfinder/js/elfinder.min.js/wp-content/plugins/file-manager-advanced/js/elfinder/themes/material/theme.js/wp-content/plugins/file-manager-advanced/js/frontend.js/wp-content/plugins/file-manager-advanced/js/jquery-ui.min.js/wp-content/plugins/file-manager-advanced/js/jquery.min.js+3 more
Version Parameters
file-manager-advanced/css/editor.css?ver=file-manager-advanced/css/style.css?ver=file-manager-advanced/css/theme.css?ver=file-manager-advanced/js/clipboard.min.js?ver=file-manager-advanced/js/elfinder/js/elfinder.min.js?ver=file-manager-advanced/js/elfinder/themes/material/theme.js?ver=file-manager-advanced/js/frontend.js?ver=file-manager-advanced/js/jquery-ui.min.js?ver=file-manager-advanced/js/jquery.min.js?ver=file-manager-advanced/js/main.js?ver=file-manager-advanced/js/vue/app.js?ver=file-manager-advanced/js/vue/chunk-vendors.js?ver=

HTML / DOM Fingerprints

CSS Classes
elfinder-toolbarelfinder-cwd-fileelfinder-dialogelfinder-buttonsetelfinder-buttonelfinder-dialog-titleelfinder-spinnerelfinder-dialog-wrapper
HTML Comments
// Free: Show AI Integration (Code Pilot) tab content as a PRO teaser// Hide Freemius Add-Ons menu using Freemius filter hook// This is the proper way to hide menu items in Freemius// Remove Add-Ons submenu if it exists (check various possible slugs)+11 more
Data Attributes
data-elfinder-dialogdata-elfinder-dialog-titledata-elfinder-button
JS Globals
fma_fsfile_manager_advanced_shortcodefma_freemius_after_uninstallclass_fma_blocksclass_fma_mainadvanced_file_manager_load_text_domain+1 more
REST Endpoints
/wp-json/file-manager-advanced/v1/get_settings/wp-json/file-manager-advanced/v1/save_settings/wp-json/file-manager-advanced/v1/get_usage_data/wp-json/file-manager-advanced/v1/get_pro_feature_settings/wp-json/file-manager-advanced/v1/save_pro_feature_settings
FAQ

Frequently Asked Questions about Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution