Frontend File Manager < 21.3 - Subscriber+ Arbitrary File Upload
CVE-2022-3125

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Frontend File Manager Plugin
Vendor: CVE Published:; 3 October 2022

Summary

The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

Affected Version(s)

Frontend File Manager Plugin 21.3

References

https://wpscan.com/vulnerability/d3d9dc9a-226b-4f76-995e-...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 3, 2022
Vulnerability Reserved
Sep 5, 2022

Credit

Raad Haddad of Cloudyrion GmbH