Unauthorized Access to Media Files and Folders via Missing Capability Checks
CVE-2024-7858

6.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Media Library Folders
Vendor: CVE Published:; 30 August 2024

Summary

The Media Library Folders plugin for WordPress is exposed to unauthorized access because of insufficient capability checks on multiple AJAX functions found in the media-library-plus.php file. This weakness affects all versions of the plugin through 8.2.3, allowing authenticated attackers with subscriber-level permission or higher to execute various actions that can manipulate media files and folders, as well as alter plugin settings. This vulnerability highlights the critical need for rigorous access controls within WordPress plugins to protect against potential insider threats.

Affected Version(s)

Media Library Folders * <= 8.2.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/media-library-...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2024
Vulnerability Reserved
Aug 15, 2024

Credit

Lucio Sá