Arbitrary File Inclusion Vulnerability in FileOrganizer Plugin
CVE-2024-11010

7.2HIGH

Key Information:

Vendor
Wordpress
Status
Fileorganizer – Manage WordPress And Website Files
Vendor
CVE Published:
7 December 2024

Summary

The FileOrganizer – Manage WordPress and Website Files plugin contains a vulnerability that allows local JavaScript file inclusion through the 'default_lang' parameter. Authenticated users with Administrator-level access can exploit this flaw to include and execute arbitrary JavaScript files on the server. This exploitation can lead to unauthorized code execution, data breaches, and bypassing of access controls, especially when combined with attack vectors that permit uploading seemingly safe file types, such as images.

Affected Version(s)

FileOrganizer – Manage WordPress and Website Files * <= 1.1.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/fileorganizer/...
https://plugins.trac.wordpress.org/browser/fileorganizer/...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

TANG Cheuk Hei
.