Stored Cross-Site Scripting Vulnerability in FileOrganizer Plugin

CVE-2024-2324

4.4MEDIUM

Key Information

Vendor: Softaculous
Status: Fileorganizer – Manage WordPress And Website Files
Vendor: CVE Published:; 2 May 2024

Summary

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. For the free version, this is limited to administrators. The pro version is also vulnerable and exploitable by administrators, but also offers the functionality to lower level users (as low as subscribers) if enabled.

Affected Version(s)

FileOrganizer – Manage WordPress and Website Files <= 1.0.6

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
May 2, 2024
Disclosed
Apr 23, 2024
Vulnerability Reserved.
Mar 8, 2024

Collectors

NVD DatabaseMitre Database

Credit

Mdr001