WP-Safety

FileOrganizer – WordPress File Manager Security & Risk Analysis

wordpress.org/plugins/fileorganizer

FileOrganizer is an intuitive file manager to easily edit, delete, upload, download, and manage all your WordPress files and folders right from the da …

200K active installs v1.1.8 PHP 5.5+ WP 5.5+ Updated Dec 5, 2025
file-explorerfile-managerfileorganizerupload-fileswordpress-file-manager
95
A · Safe
CVEs total5
Unpatched0
Last CVEDec 6, 2024
Plugin page Download
Safety Verdict

Is FileOrganizer – WordPress File Manager Safe to Use in 2026?

Generally Safe

Score 95/100

FileOrganizer – WordPress File Manager has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Dec 6, 2024Updated 3mo ago
Risk Assessment

The "fileorganizer" plugin version 1.1.8 presents a mixed security posture. While it boasts zero unprotected entry points (AJAX, REST API, shortcodes, cron events), indicating good practice in limiting direct access, the static analysis reveals several concerning signals. The presence of dangerous functions like `unserialize`, `proc_open`, and `exec` warrants caution, as these can be exploited if input is not meticulously sanitized. Furthermore, the taint analysis highlights a critical severity flow with unsanitized paths, which is a significant risk and could lead to path traversal vulnerabilities.

The plugin's vulnerability history is a major concern, with five known CVEs, including three high severity ones. The common vulnerability types like Path Traversal, Unrestricted Upload, and Missing Authorization are indicative of recurring security weaknesses in how user-supplied data is handled. Although there are currently no unpatched CVEs, the past recurrence of these issues suggests a need for ongoing vigilance and robust development practices to prevent future exploitations. The plugin's strengths lie in its protected entry points and relatively high percentage of prepared SQL statements and output escaping, but these are overshadowed by the critical taint flow and historical vulnerability patterns.

Key Concerns

  • Critical severity taint flow with unsanitized paths
  • Presence of dangerous functions (unserialize, proc_open, exec)
  • Multiple high severity past vulnerabilities
  • History of Path Traversal vulnerabilities
  • History of Unrestricted Upload vulnerabilities
  • History of Missing Authorization vulnerabilities
Vulnerabilities
5

FileOrganizer – WordPress File Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
4 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

High
3
Medium
1
Low
1

5 total CVEs

CVE-2024-11010high · 7.2Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

FileOrganizer <= 1.1.4 - Authenticated (Administrator+) Local JavaScript File Inclusion

Dec 6, 2024 Patched in 1.1.5 (3d)
CVE-2024-7985high · 7.5Unrestricted Upload of File with Dangerous Type

FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload

Oct 29, 2024 Patched in 1.1.0 (1d)
CVE-2024-5599high · 7.5Insecure Storage of Sensitive Information

FileOrganizer <= 1.0.7 - Sensitive Information Exposure via Directory Listing

Jun 6, 2024 Patched in 1.0.8 (2d)
CVE-2024-2324medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FileOrganizer and FileOrganizer Pro <= 1.0.6 - Authenticated Stored Cross-Site Scripting

Apr 23, 2024 Patched in 1.0.7 (10d)
CVE-2023-3664low · 2.7Missing Authorization

FileOrganizer <= 1.0.3 - Authenticated (Admin+) Arbitrary File Access

Sep 3, 2023 Patched in 1.0.4 (142d)
Code Analysis
Analyzed Mar 16, 2026

FileOrganizer – WordPress File Manager Code Analysis

Dangerous Functions
11
Raw SQL Queries
8
20 prepared
Unescaped Output
12
98 escaped
Nonce Checks
5
Capability Checks
9
File Operations
253
External Requests
7
Bundled Libraries
1

Dangerous Functions Found

unserialize$data = unserialize(base64_decode($var));manager\php\elFinder.class.php:4778
proc_open$process = proc_open($command, $descriptorspec, $pipes, $cwd, null);manager\php\elFinder.class.php:5269
unserialize$data = unserialize($data);manager\php\elFinderSession.php:206
execexec('rd /S /Q ' . escapeshellarg($dir), $o, $r);manager\php\elFinderVolumeDriver.class.php:7121
execexec('del /F /Q ' . escapeshellarg($dir), $o, $r);manager\php\elFinderVolumeDriver.class.php:7123
execexec('rm -rf ' . escapeshellarg($dir), $o, $r);manager\php\elFinderVolumeDriver.class.php:7126
unserializereturn unserialize($res[0]);manager\php\elFinderVolumeDropbox.class.php:475
unserialize$chk = unserialize($chk[0]);manager\php\elFinderVolumeDropbox.class.php:516
unserialize$res = unserialize($res[0]);manager\php\elFinderVolumeDropbox.class.php:527
unserialize$raw = unserialize($raw);manager\php\elFinderVolumeDropbox.class.php:658
unserialize$raw = unserialize($raw);manager\php\elFinderVolumeDropbox.class.php:701

Bundled Libraries

TinyMCE

SQL Query Safety

71% prepared28 total queries

Output Escaping

89% escaped110 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
callback (manager\php\elFinder.class.php:4129)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

FileOrganizer – WordPress File Manager Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 4

authwp_ajax_fileorganizer_file_folder_managermain\ajax.php:12
authwp_ajax_fileorganizer_switch_thememain\ajax.php:215
authwp_ajax_fileorganizer_hide_promomain\ajax.php:244
authwp_ajax_fileorganizer_close_update_noticemain\ajax.php:350
WordPress Hooks 7
actionplugins_loadedinit.php:145
actionadmin_noticesinit.php:170
actionadmin_noticesinit.php:188
filtersoftaculous_plugin_update_noticeinit.php:189
actionnetwork_admin_menuinit.php:196
actionadmin_menuinit.php:197
actionadmin_initinit.php:232
Maintenance & Trust

FileOrganizer – WordPress File Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 5, 2025
PHP min version5.5
Downloads1.8M

Community Trust

Rating96/100
Number of ratings45
Active installs200K
Alternatives

FileOrganizer – WordPress File Manager Alternatives

File Manager Pro – Filester

File Manager Pro – Filester

filester

A
91

Advanced File Manager and Code Editor. Best WordPress file manager without FTP access. No need to upgrade because this is PRO version.

100K 9 CVEs
File Manager

File Manager

wp-file-manager

A
87

file manager provides you ability to edit, delete, upload, download, copy and paste files and folders.

1.0M 12 CVEs
FileBird – WordPress Media Library Folders & File Manager

FileBird – WordPress Media Library Folders & File Manager

filebird

A
89

Organize thousands of WordPress media files in folders / categories with ease.

200K 10 CVEs
Download Manager

Download Manager

download-manager

B
76

This File Management & Digital Store plugin will help you to control file downloads & sell digital products from your WP site.

100K 74 CVEs
Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution

file-manager-advanced

A
90

Use Advanced File Manager to manage WordPress files, create archives, and build document libraries—all directly from your WordPress dashboard!

100K 9 CVEs
Developer Profile

FileOrganizer – WordPress File Manager Developer Profile

Softaculous

10 plugins · 4.1M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
333 days
View full developer profile
Detection Fingerprints

How We Detect FileOrganizer – WordPress File Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fileorganizer/css/elfinder/theme.css/wp-content/plugins/fileorganizer/css/elfinder/material.css/wp-content/plugins/fileorganizer/css/elfinder/material-dark.css/wp-content/plugins/fileorganizer/css/elfinder/material-gray.css/wp-content/plugins/fileorganizer/css/elfinder/windows10.css/wp-content/plugins/fileorganizer/css/elfinder/elfinder.min.css/wp-content/plugins/fileorganizer/js/elfinder/elfinder.min.js/wp-content/plugins/fileorganizer/js/elfinder/i18n/elfinder.ru.js
Script Paths
/wp-content/plugins/fileorganizer/js/elfinder/elfinder.min.js/wp-content/plugins/fileorganizer/js/elfinder/i18n/elfinder.ru.js
Version Parameters
fileorganizer/css/elfinder/theme.css?ver=fileorganizer/css/elfinder/material.css?ver=fileorganizer/css/elfinder/material-dark.css?ver=fileorganizer/css/elfinder/material-gray.css?ver=fileorganizer/css/elfinder/windows10.css?ver=fileorganizer/css/elfinder/elfinder.min.css?ver=fileorganizer/js/elfinder/elfinder.min.js?ver=fileorganizer/js/elfinder/i18n/elfinder.ru.js?ver=

HTML / DOM Fingerprints

CSS Classes
fileorganizer_wrapfileorganizer-headerfileorganizer-tdfileorganizer-headingfileorganizer-optionsfileorganizer_footer_wrapfileorganizer_buttonfileorganizer_button1+3 more
Data Attributes
id="fileorganizer_elfinder"id="fileorganizer-theme-switcher"data-id="fileorganizer"
JS Globals
fileorganizer_ajaxurlfileorganizer_ajax_noncefileorganizer_urlfileorganizer_lang
REST Endpoints
/wp-json/fileorganizer/v1/folders/wp-json/fileorganizer/v1/files/wp-json/fileorganizer/v1/upload/wp-json/fileorganizer/v1/download/wp-json/fileorganizer/v1/delete
FAQ

Frequently Asked Questions about FileOrganizer – WordPress File Manager