Hello @mehrazmorshed,
Yes, I was notified by the WordPress moderation team; the vulnerability was reported by Wordfence.
I’ve already patched and sent it via SVN. I’m waiting for feedback from the moderation team so that the update is available to everyone.
If you’re using the plugin, it’s the File Manager module that has this vulnerability. But to exploit this vulnerability, you already need to be an administrator on WordPress.
And so, an admin could very well install one of the many available plugins to inject malicious code, so don’t worry if you have the plugin installed.
The patch is coming soon… I hope so 😅
