add files from server – whats the risk?

not clear, may you please give me the url where you trying this, so that I can check.

there’s no need – it is clear. When you add files there is an option to “add from server” this shows all the files on the server.

you can set file browser root from settings page.

I also have a concern about the possible security implications if an attacker was to exploit your plugin to gain access the the root through your advanced server file browser.

This could possibly put all sites using the plugin at risk.

Is there any way to remove or completely disable the feature.

Not only that:

In a multi-user environment any author with the basic privilege level can embed any file from anywhere in the file system — even the .htaccess file or your wp-config.php (if you left it at the document root).

They can embed other users’ files; they don’t even have to use the file browser for that, they all appear in the list.

They can replace a file uploaded by another user with an arbitrary file of their own, simple by clicking the red “X” button and selecting a new file.

They can remove or change passwords on others’ files.

It appears that the premium versions let you activate it for individual blogs; but the documentation doesn’t make clear how that works, or if these holes are in fact patched up in that version. Shaon, if I were sure that it works in a safe way I think we’d be willing to purchase it.

But for the time being, it’s far too much of a risk for my taste.