Arbitrary File Upload Vulnerability in File Manager Pro's Filester Plugin

CVE-2024-8066

7.5HIGH

Key Information

Vendor: Ninjateam
Status: File Manager Pro – Filester
Vendor: CVE Published:; 28 November 2024

Summary

The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected Version(s)

File Manager Pro – Filester <= 1.8.4

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Nov 28, 2024
Disclosed
Nov 27, 2024
Vulnerability Reserved.
Aug 21, 2024

Collectors

NVD DatabaseMitre Database

Credit

TANG Cheuk Hei