El-Finder is a good file manager plugin which can be used with TinyMCE or CKEditor.
This plugin has a vulnerability of accessing server side files for non authorized users. 
El-finder Browser
To secure the access to server files for non authorized users, add the following lines to the file elfinder/php/connector.php
<?php
require __DIR__ . '/../../../../vendor/autoload.php';
$sessionConfig = new \Zend\Session\Config\SessionConfig();
$sessionManager = new \Zend\Session\SessionManager($sessionConfig);
$sessionManager->start();
if (! isset($_SESSION['Admin_Auth']) || null === $_SESSION['Admin_Auth']) {
echo json_encode(array(
'error' => 'errAccess',
));
exit();
}Now when accessing the elfinder.html url, you'll get an error message:
