WP-Safety

File Manager Security & Risk Analysis

wordpress.org/plugins/wp-file-manager

file manager provides you ability to edit, delete, upload, download, copy and paste files and folders.

1.0M active installs v8.0.2 PHP 5.2.4+ WP 4.0+ Updated Jun 4, 2025
elfinderfile-managerftpwp-file-managerwp-filemanager
87
A · Safe
CVEs total12
Unpatched0
Last CVEJun 27, 2024
Plugin page Download
Safety Verdict

Is File Manager Safe to Use in 2026?

Generally Safe

Score 87/100

File Manager has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Jun 27, 2024Updated 10mo ago
Risk Assessment

The wp-file-manager v8.0.2 plugin exhibits a mixed security posture. While it demonstrates some good practices like a high percentage of prepared SQL statements and a reasonable number of nonce and capability checks, significant concerns exist regarding its attack surface and output sanitization.

The static analysis reveals a notable number of unprotected entry points, specifically 4 out of 12, including AJAX handlers and REST API routes that lack authorization. This presents a direct avenue for attackers to potentially exploit functionalities without proper checks. Furthermore, the low percentage of properly escaped output (46%) is a strong indicator of potential Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts.

The plugin's vulnerability history is a significant red flag. With 12 known CVEs, including 2 critical and 4 high severity vulnerabilities, it suggests a pattern of recurring security weaknesses. The common types of vulnerabilities listed, such as Path Traversal, CSRF, and XSS, align with the static analysis findings of unprotected entry points and poor output escaping. While there are currently no unpatched CVEs, the history indicates a susceptibility to common and severe web security flaws, demanding caution despite recent fixes.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Low output escaping percentage
  • High number of known CVEs
  • History of critical/high severity CVEs
  • Unsanitized path flow
Vulnerabilities
12

File Manager Security Vulnerabilities

CVEs by Year

4 CVEs in 2018
2018
1 CVE in 2019
2019
2 CVEs in 2020
2020
1 CVE in 2021
2021
4 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
2
High
4
Medium
6

12 total CVEs

CVE-2024-37254medium · 4.3Missing Authorization

File Manager <= 7.2.7 - Missing Authorization

Jun 27, 2024 Patched in 7.2.8 (6d)
CVE-2024-2654medium · 6.8Path Traversal: '.../...//'

File Manager <= 7.2.5 - Authenticated (Administrator+) Directory Traversal

Apr 3, 2024 Patched in 7.2.6 (7d)
CVE-2024-1538high · 8.8Cross-Site Request Forgery (CSRF)

File Manager <= 7.2.4 - Cross-Site Request Forgery to Local JS File Inclusion

Mar 20, 2024 Patched in 7.2.5 (1d)
CVE-2024-0761high · 8.1Use of Insufficiently Random Values

File Manager <= 7.2.1 - Sensitive Information Exposure via Backup Filenames

Jan 22, 2024 Patched in 7.2.2 (647d)
CVE-2021-24177medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP File Manager <= 7.0 - Reflected Cross-Site Scripting

Feb 26, 2021 Patched in 7.1 (1061d)
CVE-2020-25213critical · 9.8Unrestricted Upload of File with Dangerous Type

File Manager <= 6.8 - Arbitrary File Upload/Remote Code Execution

Sep 1, 2020 Patched in 6.9 (1239d)
CVE-2020-24312high · 7.5Files or Directories Accessible to External Parties

WP File Manager <= 6.4 - Unauthenticated Resource Access to Site Backups

Aug 13, 2020 Patched in 6.5 (1258d)
WF-077b3483-ab1c-401d-aa67-c4da5fca90b4-wp-file-managermedium · 6.3Missing Authorization

File Manager <= 4.8 - Missing Authorization on AJAX Actions

Aug 7, 2019 Patched in 4.9 (1630d)
CVE-2018-16967medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

File Manager <= 3.0 - Stored Cross-Site Scripting

Sep 17, 2018 Patched in 3.1 (1954d)
CVE-2018-25105critical · 9.8Missing Authorization

File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download

Sep 17, 2018 Patched in 3.1 (2221d)
CVE-2018-16966high · 8.8Cross-Site Request Forgery (CSRF)

File Manager <= 3.0 - Cross-Site Request Forgery

Sep 17, 2018 Patched in 3.1 (1954d)
CVE-2018-16363medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

File Manager <= 2.9 - Reflected Cross-Site Scripting

Sep 6, 2018 Patched in 3.0 (1965d)
Code Analysis
Analyzed Mar 16, 2026

File Manager Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
20 prepared
Unescaped Output
64
55 escaped
Nonce Checks
11
Capability Checks
8
File Operations
35
External Requests
1
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

87% prepared23 total queries

Output Escaping

46% escaped119 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

8 flows1 with unsanitized paths
mk_file_manager_single_backup_restore_callback (file_folder_manager.php:144)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

File Manager Attack Surface

Entry Points12
Unprotected4

AJAX Handlers 10

authwp_ajax_mk_file_folder_managerfile_folder_manager.php:31
authwp_ajax_mk_fm_close_fm_helpfile_folder_manager.php:32
authwp_ajax_mk_filemanager_verify_emailfile_folder_manager.php:39
authwp_ajax_verify_filemanager_emailfile_folder_manager.php:40
authwp_ajax_mk_file_folder_manager_media_uploadfile_folder_manager.php:44
authwp_ajax_mk_file_manager_backupfile_folder_manager.php:48
authwp_ajax_mk_file_manager_backup_removefile_folder_manager.php:49
authwp_ajax_mk_file_manager_single_backup_removefile_folder_manager.php:50
authwp_ajax_mk_file_manager_single_backup_logsfile_folder_manager.php:51
authwp_ajax_mk_file_manager_single_backup_restorefile_folder_manager.php:52

REST API Routes 2

GET/wp-json/v1/fm/backup/(?P<backup_id>[a-zA-Z0-9-=]+)/(?P<type>[a-zA-Z0-9-=]+)/(?P<key>[a-zA-Z0-9-=]+)file_folder_manager.php:55
GET/wp-json/v1/fm/backupall/(?P<backup_id>[a-zA-Z0-9-=]+)/(?P<type>[a-zA-Z0-9-=]+)/(?P<key>[a-zA-Z0-9-=]+)/(?P<all>[a-zA-Z]+)file_folder_manager.php:61
WordPress Hooks 9
actionactivated_pluginfile_folder_manager.php:26
actionadmin_menufile_folder_manager.php:27
actionnetwork_admin_menufile_folder_manager.php:28
actionadmin_enqueue_scriptsfile_folder_manager.php:29
actionadmin_enqueue_scriptsfile_folder_manager.php:30
filterplugin_action_linksfile_folder_manager.php:33
actionplugins_loadedfile_folder_manager.php:35
actioninitfile_folder_manager.php:46
actionrest_api_initfile_folder_manager.php:53
Maintenance & Trust

File Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 4, 2025
PHP min version5.2.4
Downloads32.2M

Community Trust

Rating94/100
Number of ratings1,462
Active installs1.0M
Alternatives

File Manager Alternatives

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution

Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution

file-manager-advanced

A
90

Use Advanced File Manager to manage WordPress files, create archives, and build document libraries—all directly from your WordPress dashboard!

100K 9 CVEs
UCM Files Manager Addon (UCM FM)

UCM Files Manager Addon (UCM FM)

ucm-files-manager-ucm-fm

A
85

UCM Files Manager (UCM FM) is an addon for Ultimate Media On The Cloud Plugin! https://wordpress.org/plugins/ultimate-media-on-the-cloud-lite/ With UC &hellip;

0 No CVEs
File Manager Pro – Filester

File Manager Pro – Filester

filester

A
91

Advanced File Manager and Code Editor. Best WordPress file manager without FTP access. No need to upgrade because this is PRO version.

100K 9 CVEs
Library Viewer

Library Viewer

library-viewer

A
96

A File & Folder Viewer for FTP folders, enabling the display of library contents (folders & files) on the front-end.

400 3 CVEs
File Manager, Code Editor, and Backup by Managefy

File Manager, Code Editor, and Backup by Managefy

softdiscover-db-file-manager

A
98

Manage your folder and files , backup, user roles and database easily

200 2 CVEs
Developer Profile

File Manager Developer Profile

mndpsingh287

7 plugins · 4.1M total installs

67
trust score
Avg Security Score
83/100
Avg Patch Time
1115 days
View full developer profile
Detection Fingerprints

How We Detect File Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-file-manager/css//wp-content/plugins/wp-file-manager/css/custom.css/wp-content/plugins/wp-file-manager/css/normalize.css/wp-content/plugins/wp-file-manager/css/styles.css/wp-content/plugins/wp-file-manager/js//wp-content/plugins/wp-file-manager/js/script.js/wp-content/plugins/wp-file-manager/js/custom.js/wp-content/plugins/wp-file-manager/js/plugin.js+1 more
Script Paths
/wp-content/plugins/wp-file-manager/js/script.js/wp-content/plugins/wp-file-manager/js/custom.js/wp-content/plugins/wp-file-manager/js/plugin.js
Version Parameters
wp-file-manager/style.css?ver=wp-file-manager/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpfm-header
Data Attributes
data-type="filemanager"data-template="plugin/filemanager"
JS Globals
wp_file_manager_plugin
REST Endpoints
/wp-json/v1/fm/backup//wp-json/v1/fm/backupall/
Shortcode Output
[wp_file_manager]
FAQ

Frequently Asked Questions about File Manager