Limited JavaScript File Upload Vulnerability in Bit File Manager
CVE-2024-8743

6.8MEDIUM

Key Information:

Vendor: Wordpress
Status: Bit File Manager – 100% Free & Open Source File Manager And Code Editor For WordPress
Vendor: CVE Published:; 5 October 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.

Affected Version(s)

Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress * <= 6.5.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8743-PoC
Created by siunam321

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3161219/

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 9, 2025
👾
Exploit known to exist
Jan 9, 2025
Vulnerability published
Oct 5, 2024
Vulnerability Reserved
Sep 11, 2024

Credit

TANG Cheuk Hei