CVE-2020-25213

What is the WordPress File Manager Plugin?

The WordPress File Manager plugin (by mndpsingh287) is a WordPress plugin that integrates the elFinder open-source file manager into the WordPress admin dashboard, allowing site administrators to manage files, upload content, and edit files directly from the browser without needing FTP or SSH access. The plugin was installed on over 700,000 WordPress sites at the time of the vulnerability's discovery. The plugin bundles the elFinder library, which includes a PHP connector script (connector.minimal.php) that handles file operations. The critical flaw was that this connector script was left accessible without any authentication or WordPress access checks — anyone on the internet could call it directly, bypassing WordPress's authentication entirely.

Overview

CVE-2020-25213 is an unrestricted file upload vulnerability (CWE-434) in the WordPress File Manager plugin (versions 6.0–6.8) that allows an unauthenticated remote attacker to upload arbitrary PHP files and execute code on the WordPress server. The plugin's bundled elFinder connector.minimal.php script was publicly accessible at a predictable URL without any authentication, allowing anyone to issue file management commands — including uploading PHP webshells. Wordfence discovered the vulnerability being actively exploited as a zero-day on September 1, 2020; a patch was released September 3; within 24 hours of disclosure, Wordfence observed over 300,000 exploitation attempts across WordPress sites. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

• Root cause: Unrestricted file upload (CWE-434) via unauthenticated elFinder connector — the File Manager plugin includes lib/php/elFinder/php/connector.minimal.php, a PHP file that handles all elFinder file operations (upload, rename, delete, move); this file was bundled without any WordPress authentication wrapper, so it could be accessed directly at wp-content/plugins/wp-file-manager/lib/php/elFinder/php/connector.minimal.php without being logged into WordPress
• Web shell upload: An attacker sends a POST request to the connector URL with an upload command and a PHP file as the payload; elFinder processes the upload and saves the file to the WordPress uploads directory or plugin directory; the uploaded PHP file is then accessible via its URL, providing a persistent web shell for executing arbitrary OS commands
• CVSS 10.0 / S:C: Scope: Changed reflects that exploiting the WordPress plugin affects resources beyond the plugin itself — PHP code execution on the web server can access all WordPress data (database credentials in wp-config.php), other websites hosted on the same server, server configuration files, and potentially the underlying OS depending on PHP execution permissions
• Zero-day mass exploitation: The vulnerability was being exploited in the wild before any public disclosure or CVE assignment; Wordfence identified attack traffic on September 1 and worked with the plugin developer on an emergency patch; in the period between discovery and patch, and immediately after patch/disclosure, threat actors raced to compromise as many sites as possible before administrators updated
• WordPress plugin scale: With 700,000+ active installations, even a 1% exploitation success rate would compromise 7,000 WordPress sites; the trivial one-request exploitation and predictable file path made automated mass exploitation straightforward via scripted scanning

Discovery

Discovered by Wordfence's threat intelligence team, which detected active exploitation attempts in their firewall telemetry on September 1, 2020. Wordfence notified the plugin developer and coordinated the emergency release of version 6.9. The Wordfence blog post documenting the vulnerability and mass exploitation remains the definitive public reference.

Exploitation Context

CVE-2020-25213 represents a textbook case of supply chain risk through third-party plugins: the WordPress core was not vulnerable, but a widely-installed plugin with an insecure bundled library exposed 700,000+ sites to a trivially exploitable, no-authentication RCE. Within 24 hours of disclosure, attackers from multiple IP ranges and countries launched automated scanning and exploitation campaigns targeting all identifiable File Manager plugin installations. Post-exploitation goals included installing cryptocurrency miners, injecting SEO spam, creating backdoor accounts, and establishing persistent access. The speed of mass exploitation demonstrates how vulnerability disclosure in the WordPress plugin ecosystem immediately triggers automated attack campaigns.

Remediation

1. Update the WordPress File Manager plugin to version 6.9 or later — the update removes the unauthenticated elFinder connector endpoint
2. If immediate update is not possible, rename or delete wp-content/plugins/wp-file-manager/lib/php/elFinder/php/connector.minimal.php to prevent direct access
3. Scan WordPress site files for PHP webshells — look for unusual PHP files in wp-content/uploads/, the plugin directory, and other web-accessible directories; compare file checksums against known-good plugin versions
4. Review WordPress access logs for POST requests to connector.minimal.php or to uploaded PHP file URLs that may indicate successful exploitation
5. Audit for backdoor admin accounts: check wp_users table for admin accounts created around the exploitation date
6. Consider using a WordPress security plugin (Wordfence, Sucuri) that monitors for malicious file uploads and web shell activity in real time
7. Implement a Web Application Firewall (WAF) rule to block direct access to elFinder connector files and other plugin files that should not be directly web-accessible