CVE-2023-5907 is a path traversal vulnerability (CWE-22) found in the File Manager WordPress plugin versions prior to 6.3. This vulnerability arises because the plugin does not properly restrict the root directory for the file manager interface. Specifically, it allows an administrator user to configure the file manager's root directory to a location outside the WordPress root directory. This misconfiguration enables access to arbitrary system files and directories beyond the intended scope. The issue is particularly critical in multisite WordPress setups, where site administrators are normally restricted from modifying files outside their individual site directories. Exploiting this vulnerability requires administrator privileges within WordPress, but no user interaction is needed beyond that. The vulnerability has a CVSS 3.1 score of 6.5, indicating a medium severity level. The impact includes unauthorized disclosure and modification of sensitive system files, potentially leading to privilege escalation or system compromise. No known exploits are currently reported in the wild, and no official patches are linked yet, though upgrading to version 6.3 or later is implied to remediate the issue. The vulnerability affects the File Manager plugin, which is widely used for managing files within WordPress environments, making it a significant risk vector for websites using this plugin without proper updates or restrictions.

For European organizations, this vulnerability poses a significant risk especially to those relying on WordPress for their web presence and using the File Manager plugin. Unauthorized access to system files can lead to data breaches, defacement, or further exploitation such as privilege escalation or lateral movement within the hosting environment. This can compromise the confidentiality and integrity of sensitive business data and customer information, potentially violating GDPR and other data protection regulations. Multisite WordPress installations, common in large organizations or managed service providers, are particularly vulnerable as site administrators could access files beyond their authorized scope. The lack of user interaction and ease of exploitation by any administrator user increases the threat level. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the vulnerability could lead to operational disruptions and reputational damage if exploited.

European organizations should immediately verify if they use the File Manager WordPress plugin and identify the version in use. If running a version prior to 6.3, they should upgrade to the latest patched version as soon as it becomes available. Until patched, administrators should restrict plugin usage to only highly trusted users and consider disabling the plugin if not essential. Implement strict role-based access controls within WordPress to limit administrator privileges and monitor administrative activities for suspicious behavior. Additionally, web application firewalls (WAFs) can be configured to detect and block attempts to exploit path traversal patterns. Regular audits of file system permissions and WordPress configurations should be conducted to ensure no unauthorized root directory changes have been made. Backup strategies should be reviewed to ensure rapid recovery in case of compromise. Finally, organizations should stay informed about updates from the plugin vendor and security advisories to apply patches promptly.