A vulnerability has been discovered in the wp-FileManager plugin for WordPress, which can be exploited by malicious people to disclose potentially sensitive information.
The application does not properly restrict access to wp-content/plugins/wp-filemanager/incl/libfile.php, which can be exploited to download arbitrary files via directory traversal sequences.
Successful exploitation of this vulnerability requires "Allow Download" enabled in the wp-FileManager plugin settings.
The vulnerability is confirmed in version 1.3.0. Prior versions may also be affected.
