Title: [Plugin: CKEditor For WordPress] Security flaw Last modified: August 20, 2016 --- # [Plugin: CKEditor For WordPress] Security flaw * Resolved [harrisonhill777](https://wordpress.org/support/users/harrisonhill777/) * (@harrisonhill777) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/) * I just found that google indexed all ckeditor files and one of them includes this: * /wp-content/plugins/ckeditor-for-wordpress/filemanager * From there anyone could upload any file. * [http://wordpress.org/extend/plugins/ckeditor-for-wordpress/](http://wordpress.org/extend/plugins/ckeditor-for-wordpress/) Viewing 9 replies - 1 through 9 (of 9 total) * Plugin Contributor [michal](https://wordpress.org/support/users/michal_cksource/) * (@michal_cksource) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280233) * Does google index files from others plugins ? We will check this , thx for report this. * Thread Starter [harrisonhill777](https://wordpress.org/support/users/harrisonhill777/) * (@harrisonhill777) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280317) * No, I haven’t seen any other plugin indexed by Google. I just checked and 64 400 results appeared on query “/wp-content/plugins/ckeditor-for-wordpress/filemanager” * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280319) * How could anyone upload any file just by going to domain.com/wp-content/plugins/ ckeditor-for-wordpress/filemanager though? * Google search for anything that’s linked to, though, so the plugin shouldn’t be linking from the FRONT end of the site to the BACK end where the plugin is located. * Thread Starter [harrisonhill777](https://wordpress.org/support/users/harrisonhill777/) * (@harrisonhill777) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280326) * Well, check this out: * wp-content/plugins/ckeditor-for-wordpress/filemanager/browser/default/browser. html * Actually, I haven’t linked for ckeditor anywhere (Why should I?) And I doubt, that any of the 64 400 site admins that can be found by this query in Google have linked to it. * Plugin Contributor [michal](https://wordpress.org/support/users/michal_cksource/) * (@michal_cksource) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280336) * I think that this depends on WordPress, domain and server configuration. AS [@ipstenu](https://wordpress.org/support/users/ipstenu/) wrote google index everything it can, but WordPress/site ocnfiguration should block some links. You can’t upload file just going to * > /wp-content/plugins/ckeditor-for-wordpress/filemanager * link. * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280344) * I checked on wp-content/plugins/ckeditor-for-wordpress/filemanager/browser/default/ browser.html and I can’t see that it uploaded anything, while logged out. * > WordPress/site ocnfiguration should block some links. * No… WordPress can only block what it KNOWS about. If you add a plugin, the PLUGIN should block. Personally, I think that plugin ought to be PHP wrapped and have a wp_die() call in it to make sure you can’t hit it up outside of wp-admin. * Yes, YOU should block file browsing, though as this doesn’t work on all servers, WP can’t put it in. * Put `Options -Indexes` at the top of .htaccess and that will block people from browsing around. But. It won’t stop someone who knows where a file is directly. * (ETA: I reported this to pluginsATwordpress.org anyway, as a possible security hole b/c you can pull up that html page and interact) * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280346) * I have temporarily suspended the plugin and contacted the authors. * Plugin Contributor [michal](https://wordpress.org/support/users/michal_cksource/) * (@michal_cksource) * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280350) * I think that suspend our plugin because of security issue from that reason is unfair. Yes, it’s bad that you can find mentioned query by google but I will give you few example what can you find in google and in my opinion this should be secured by WordPress (it should ban index it’s directories). * Try search in google : “wp-includes/theme-compat” , “wp-content/plugins/akismet/”,“ wp-content/plugins/custom-field-template”. There is plenty of others plugins, themes etc examples. Of course I don’t want make harm others developers. * File browser in our plugin is disabled by default. It also check users perrmissions to use it and upload. This is the reason why we think that your reaction is to big. Of course if someone adds permissions to upload for everyone on his site it’s his mistake/problem… but this situation occurs with all filebrowsers/editors and so on. * For now please unlock our plugin. * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280352) * The indexing doesn’t bother me. That’s a site-specific issue. It’s the filemanager I was concerned about. * After analyzing the code, I’ve found that the actual upload functionality is performing a check on a non-default option to enable the filemanager. It’s not exactly the clearest code in the world, but it would stop the uploader from working with it turned off. * The plugin has been re-enabled. Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘[Plugin: CKEditor For WordPress] Security flaw’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/ckeditor-for-wordpress_fbf8d9.svg) * [CKEditor for WordPress](https://wordpress.org/plugins/ckeditor-for-wordpress/) * [Frequently Asked Questions](https://wordpress.org/plugins/ckeditor-for-wordpress/#faq) * [Support Threads](https://wordpress.org/support/plugin/ckeditor-for-wordpress/) * [Active Topics](https://wordpress.org/support/plugin/ckeditor-for-wordpress/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/ckeditor-for-wordpress/unresolved/) * [Reviews](https://wordpress.org/support/plugin/ckeditor-for-wordpress/reviews/) ## Tags * [ckeditor-for-wordpress-bug](https://wordpress.org/support/topic-tag/ckeditor-for-wordpress-bug/) * 9 replies * 4 participants * Last reply from: [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * Last activity: [14 years, 8 months ago](https://wordpress.org/support/topic/plugin-ckeditor-for-wordpress-security-flaw/#post-2280352) * Status: resolved