CVE-2025-10744: 
WordPress vulnerability analysis and mitigation

The File Manager, Code Editor, and Backup by Managefy plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2025-10744) affecting all versions up to and including 1.6.1. The vulnerability was discovered on September 30, 2025 and publicly disclosed on October 1, 2025. This security issue impacts WordPress installations using the affected plugin versions (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to view sensitive information through publicly exposed log files. Specifically, attackers can access full paths and backup files information contained in these exposed logs. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. It is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability exposes sensitive system information including full file paths and backup file locations to unauthenticated attackers. This information disclosure could potentially be used to plan further attacks or gain insights into the system's structure (NVD).

Website administrators running the affected plugin versions should upgrade to version 1.6.2 or later which contains fixes for this vulnerability. The update addresses the information exposure issue by properly securing the log files (Wordfence).