CVE-2026-6382 PUBLISHED

Multiple elFinder Plugins - Authenticated OS Command Injection

Assigner: WPScan
Reserved: 15.04.2026 Published: 06.07.2026 Updated: 06.07.2026

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

Product Status

Vendor Unknown
Product FileOrganizer
Versions Default: unaffected
  • affected from 0 to 1.1.9 (excl.)
Vendor Unknown
Product Advanced File Manager
Versions Default: unaffected
  • affected from 0 to 5.4.12 (excl.)
Vendor Unknown
Product File Manager Pro
Versions Default: unaffected
  • affected from 0 to 2.1.1 (excl.)
Vendor Unknown
Product File Manager
Versions Default: unaffected
  • affected from 0 to 8.0.4 (excl.)

Credits

  • mcdruid finder
  • WPScan coordinator

References

Problem Types

  • CWE-94 Improper Control of Generation of Code ('Code Injection') CWE