The wp-file-manager plugin has over 600,000 active installations. It offers site managers a convenient way to upload, download, edit, and delete files from within WordPress. The plugin provides an easy way to bring files directly into the Media Library. Using an FTP client becomes unnecessary. It also handles archiving files to Zip, Tar, and Gzip formats.
It's very convenient to manage files from within WordPress rather than bringing up a separate piece of software every time the administrator needs to make changes. The software had better be secure, though. A stranger who takes control of that functionality can do unlimited damage.
That is why the vulnerability, known as CVE-2020-25213, is considered critical. It lets intruders take control of those capabilities without needing any credentials.
Here's a short technical look at how it works. The plugin uses a popular open-source library, elFinder, for its low-level file management functionality. The distribution includes an example file called connector.php.minimal.dist. It was intended only as example code, not for use in live systems. Code for live use needs to include authorization checks and other security features, which the example file doesn't have.
Unfortunately, the instructions say to rename the file, giving it a .php extension. This was intended only for testing purposes, but someone must have misunderstood, and File Manager was distributed with the connector renamed. Anyone knowing the path to it could run it remotely. No authentication is required. The error leaves the website wide open for putting files on it or planting malware.
Here is a
formal description of the vulnerability, with a link to a Python script that you can use to check if your site is at risk.