Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4024 articles · 176782 vulns · 36/41 feeds (7d)
← Back to list
9.1
CVE-2026-6382EXPLOITEDPATCHED
wordpress · fileorganizer

Multiple elFinder Plugins - Authenticated OS Command Injection

Description

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

Affected Products

VendorProductVersions
wordpressfileorganizer0, 0, 0, 0

References

  • https://wpscan.com/vulnerability/a27f70b7-a4cc-42fa-88c1-19adfe1593a8/(exploit, vdb-entry, technical-description)

Related News (1 articles)

Tier C
VulDB11d ago
CVE-2026-6382 | FileOrganizer Plugin on WordPress os command injection
→ No new info (linked only)
CVSS 3.19.1 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
1.1.95.4.122.1.18.0.4
PublishedJul 6, 2026
Last enriched11d agov2
Trending Score9
Source articles1
Independent1
Info Completeness7/14
Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-63030EXPKEV
WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
Trending: 123
CRITICALCVE-2026-60137
WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
Trending: 44
HIGHCVE-2026-9700EXP
Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter
Trending: 13
MEDIUMCVE-2026-12097EXP
User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification
Trending: 12
HIGHCVE-2026-8441EXP
WP Review Slider Pro <= 12.7.2 - Unauthenticated SQL Injection via 'notinstring' Parameter
Trending: 6

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 6, 2026
Discovered by ZDM
Jul 6, 2026
Updated: description, severity, activelyExploited
Jul 6, 2026
Actively Exploited
Jul 6, 2026
Patch Available
Jul 6, 2026

Version History

v2
Last enriched 11d ago
v2Tier C11d ago

Updated severity to CRITICAL, marked as actively exploited, and corrected exploit availability to false.

descriptionseverityactivelyExploited
via VulDB
v111d ago

Initial creation