El-Finder is a good file manager  plugin which can be used with TinyMCE or CKEditor.

This plugin has a vulnerability of accessing server side files for non authorized users.

El-Finder screenshot

My solution

To secure the access to server files for non authorized users, add the following lines to the file elfinder/php/connector.php

<?php
require __DIR__ . '/../../../../vendor/autoload.php';

$sessionConfig  = new \Zend\Session\Config\SessionConfig();
$sessionManager = new \Zend\Session\SessionManager($sessionConfig);
$sessionManager->start();

if (! isset($_SESSION['Admin_Auth']) || null === $_SESSION['Admin_Auth']) {
    echo json_encode(array(
        'error' => 'errAccess',
    ));
    exit();
}

Now when accessing the elfinder.html url, you'll get an error message:

elfinder access error message