Arbitrary File Upload Vulnerability in FileOrganizer Plugin for WordPress
CVE-2024-7985

8.8HIGH

Key Information:

Vendor
Fileorganizer
Status
Fileorganizer
Vendor
CVE Published:
29 October 2024

Summary

The FileOrganizer plugin for WordPress, versions up to and including 1.0.9, has a vulnerability due to inadequate file type validation in the 'fileorganizer_ajax_handler' function. This flaw enables authenticated users, particularly those with Subscriber-level permissions and above, to upload arbitrary files to the server. Should the FileOrganizer Pro plugin be active, these users can exploit this weakness, potentially leading to unauthorized remote code execution on the affected site.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/fileorganizer/...
https://plugins.trac.wordpress.org/changeset/3149878/

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Collectors

NVD Database
.