CVE-2023-5907: 
WordPress vulnerability analysis and mitigation

The File Manager WordPress plugin before version 6.3 contains a security vulnerability (CVE-2023-5907) discovered in November 2023. The vulnerability stems from the plugin's failure to restrict the file manager's root directory, which allows administrators to set a root directory outside of the WordPress root directory. This affects both standard WordPress installations and multisite setups, where site administrators should not have permissions to modify site files (WPScan, NVD).

The vulnerability is classified as a path traversal issue (CWE-552) with a CVSS v3.1 base score of 6.5 (Medium). The vulnerability allows authenticated administrators to access system files and directories beyond the intended WordPress root directory through path traversal techniques. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and no user interaction (UI:N) (NVD).

When exploited, this vulnerability allows authenticated administrators to access and potentially modify system files and directories outside the WordPress installation directory. This is particularly concerning in multisite setups where site administrators should have limited access to the filesystem. The vulnerability could lead to unauthorized access to sensitive system files and potential system compromise (WPScan).

The vulnerability has been fixed in File Manager plugin version 6.3. Users are strongly advised to update to this version or later to prevent potential exploitation. No alternative workarounds have been publicly documented (WPScan).