Designed to provide WordPress site admins with copy/paste, edit, delete, download/upload, and archive functionality for both files and folders, File Manager has over 700,000 active installs.

Assessed with a CVSS score of 10, the recently identified critical security flaw could have allowed an attacker to upload files and execute code remotely on an affected site, Seravo, which discovered the bug, reveals.

The hosting service says that File Manager versions prior to 6.9 are affected and that disabling the plugin does not prevent exploitation.