Tang Cheuk Hei

**Name of the Vulnerable Software and Affected Versions** File Manager Pro – Filester plugin for WordPress versions 1.8.8 and earlier **Description** The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users, including subscribers, which would make this vulnerability more severe on such sites. **Recommendations** For versions 1.8.8 and earlier, update to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the file manager functionality to only necessary users until a patch is available. Restrict file uploads to only necessary file types to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Bit File Manager versions up to, and including, 6.7 **Description** The issue is related to Stored Cross-Site Scripting via SVG File uploads due to insufficient input sanitization and output escaping. This allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. **Recommendations** For versions up to, and including, 6.7, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting via SVG File uploads. As a temporary workaround, consider restricting access to SVG file uploads for users with Subscriber-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Advanced File Manager plugin for WordPress versions 5.2.12 through 5.2.13 **Description** The issue is related to arbitrary file uploads due to missing file type validation in the `fma local file system` function. This allows authenticated attackers with Subscriber-level access and above, and upload permissions granted by an administrator, to upload arbitrary files on the affected site's server, potentially making remote code execution possible. The function can only be exploited if the "Display .htaccess?" setting is enabled. **Recommendations** For versions 5.2.12 through 5.2.13, consider disabling the `fma local file system` function until a patch is available. Restrict access to the Advanced File Manager plugin to minimize the risk of exploitation. Avoid using the "Display .htaccess?" setting in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Tracking Code Manager plugin for WordPress versions up to, and including, 2.3.0 Description: The issue is related to Stored Cross-Site Scripting via the tracking code field due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 2.3.0, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the tracking code field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FileOrganizer – Manage WordPress and Website Files plugin for WordPress versions up to, and including, 1.1.4 **Description** The issue allows authenticated attackers with Administrator-level access and above to include and execute arbitrary files on the server via the `default lang` parameter. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. **Recommendations** For versions up to, and including, 1.1.4, update to a version higher than 1.1.4 to resolve the issue. As a temporary workaround, consider restricting access to the `default lang` parameter to minimize the risk of exploitation. Avoid using the `default lang` parameter in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** File Manager Pro – Filester plugin for WordPress versions up to, and including, 1.8.5 **Description** The File Manager Pro – Filester plugin for WordPress is vulnerable to Local JavaScript File Inclusion via the `fm locale` parameter. This allows authenticated attackers with Administrator-level access and above to include and execute arbitrary files on the server, enabling the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. **Recommendations** For versions up to, and including, 1.8.5, consider disabling the `fm locale` parameter until a full patch is available. As a temporary workaround, restrict access to the plugin's functionality to minimize the risk of exploitation. Update to a version later than 1.8.5 once a fully patched version is released, as version 1.8.5 only partially addresses the issue.

Name of the Vulnerable Software and Affected Versions: File Manager Pro – Filester plugin for WordPress versions up to, and including, 1.8.6 Description: The issue is related to arbitrary file uploads due to missing validation in the `fsConnector` function. This allows authenticated attackers with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file, which may subsequently enable them to upload arbitrary files on the affected site's server, potentially making remote code execution possible. Recommendations: For versions up to, and including, 1.8.6, update to a version higher than 1.8.6 to resolve the issue. As a temporary workaround, consider disabling the `fsConnector` function until a patch is available. Restrict access to the File Manager Pro – Filester plugin to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: File Manager Pro plugin for WordPress versions up to, and including, 8.3.9 Description: The issue is due to a lack of proper checks on allowed file types, making it possible for unauthenticated attackers, with permissions granted by an administrator, to upload .css and .js files. This could lead to Stored Cross-Site Scripting. Recommendations: For versions up to, and including, 8.3.9, update to a version that includes proper checks on allowed file types to prevent Limited JavaScript File Upload. As a temporary workaround, consider restricting file upload permissions to prevent unauthenticated attackers from uploading malicious files.

Name of the Vulnerable Software and Affected Versions: File Manager Pro plugin for WordPress versions up to, and including, 8.3.9 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'mk file folder manager' ajax action. This allows unauthenticated attackers to upload arbitrary files by tricking a site administrator into performing an action, such as clicking on a link. Recommendations: For versions up to, and including, 8.3.9, update to a version that includes the fix for the nonce validation issue in the 'mk file folder manager' ajax action to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the 'mk file folder manager' ajax action until a patch is available.

Name of the Vulnerable Software and Affected Versions: File Manager Pro plugin for WordPress versions up to, and including, 8.3.9 Description: The issue allows unauthenticated attackers, if granted access to the File Manager by an administrator, to download and upload arbitrary backup files on the affected site's server, which may make remote code execution possible. This is due to missing file type validation via the `mk file folder manager shortcode` ajax action. Recommendations: For versions up to, and including, 8.3.9, update to a version higher than 8.3.9 to resolve the issue. As a temporary workaround, consider restricting access to the `mk file folder manager shortcode` ajax action until a patch is available. Additionally, restrict the File Manager access to only necessary personnel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WPIDE – File Manager & Code Editor plugin for WordPress versions up to, and including, 3.4.9 **Description** The WPIDE – File Manager & Code Editor plugin for WordPress is vulnerable to Full Path Disclosure. This issue arises from the plugin's utilization of the PHP-Parser library, which outputs parser rebuild command execution results, allowing unauthenticated attackers to retrieve the full path of the web application. This information, while not useful on its own, can aid other attacks when combined with another vulnerability. **Recommendations** For versions up to, and including, 3.4.9, update to a version later than 3.4.9 to resolve the issue. As a temporary workaround, consider restricting access to the PHP-Parser library until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Contact Form by Bit Form plugin for WordPress versions up to, and including, 2.15.2 **Description** The issue arises from improper input validation within the `iconUpload` function, allowing authenticated attackers with Administrator-level access and above to read the contents of arbitrary files on the server. This can be achieved by leveraging a PHP filter chain attack, potentially exposing sensitive information. **Recommendations** For versions up to, and including, 2.15.2, update to a version that includes a fix for the improper input validation in the `iconUpload` function. As a temporary workaround, consider restricting access to the `iconUpload` function to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The FileOrganizer – Manage WordPress and Website Files plugin for WordPress versions up to, and including, 1.0.9 Description: The issue is related to arbitrary file uploads due to missing file type validation in the `fileorganizer ajax handler` function. This allows authenticated attackers with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server, potentially making remote code execution possible. The FileOrganizer Pro plugin must be installed and active for Subscriber+ users to upload files. Recommendations: For versions up to, and including, 1.0.9, consider disabling the `fileorganizer ajax handler` function until a patch is available to prevent arbitrary file uploads. Additionally, restrict permissions for Subscriber-level users and above to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Bit File Manager versions up to, and including, 6.5.7 Description: The issue is due to a lack of proper checks on allowed file types, making it possible for authenticated attackers with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files. This could lead to Stored Cross-Site Scripting. Recommendations: For versions up to, and including, 6.5.7, update to a version later than 6.5.7 to resolve the issue. As a temporary workaround, consider restricting file uploads to only necessary file types until a patch is available. Restrict access to the file upload feature to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Advanced File Manager plugin for WordPress versions up to, and including, 5.2.8 Description: The Advanced File Manager plugin for WordPress is vulnerable to Local JavaScript File Inclusion via the `fma locale` parameter. This allows authenticated attackers with Administrator-level access and above to include and execute arbitrary files on the server, enabling the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Recommendations: For versions up to, and including, 5.2.8, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the `fma locale` parameter to minimize the risk of exploitation. Restrict file uploads to only necessary file types and ensure proper validation and sanitization of uploaded files. Limit Administrator-level access to only trusted users to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Advanced File Manager plugin for WordPress versions up to, and including, 5.2.8 Description: The issue allows authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server, which may make remote code execution possible. This is achieved via the `class fma connector.php` file. The vulnerability can be exploited by uploading a new .htaccess file, enabling subsequent arbitrary file uploads. Recommendations: For versions up to, and including, 5.2.8, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the `class fma connector.php` file until a patch is available. Additionally, review and restrict permissions granted to users with Subscriber-level access and above to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WordPress (affected versions not specified) Description: The issue is due to a lack of proper checks, allowing lower-privileged roles to upload .css and .js files to arbitrary directories. This enables authenticated attackers with Subscriber-level access and above, granted permissions by an administrator, to upload .css and .js files to any directory within the WordPress root directory, potentially leading to Stored Cross-Site Scripting. The Advanced File Manager Shortcodes plugin must be installed to exploit this issue. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Bit File Manager plugin for WordPress versions up to, and including, 6.5.5 **Description** The issue is related to arbitrary file uploads due to missing file type validation in the `upload` function. This allows authenticated attackers with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server, which may make remote code execution possible. **Recommendations** For versions up to, and including, 6.5.5, upgrade to version 6.5.6 as soon as possible to resolve the issue. As a temporary workaround, consider restricting upload permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bit File Manager plugin for WordPress versions 6.0 through 6.5.5 **Description** The issue is related to Remote Code Execution. This occurs due to the plugin writing a temporary file to a publicly accessible directory before performing file validation, specifically through the `checkSyntax` function. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions. **Recommendations** For versions 6.0 through 6.5.5, consider disabling the `checkSyntax` function as a temporary workaround until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially if Guest User read permissions are enabled. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** File Manager Pro plugin for WordPress versions up to, and including, 8.3.7 **Description** The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the `mk file folder manager` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. **Recommendations** For versions up to, and including, 8.3.7, upgrade to version 8.3.8 to mitigate risks. As a temporary workaround, consider restricting access to the `mk file folder manager` AJAX action until the issue is resolved. Avoid using the File Manager Pro plugin until the upgrade is applied.