CVE-2022-1777

Name of the Vulnerable Software and Affected Versions Filr WordPress plugin versions prior to 1.2.2.1

Description The issue concerns a lack of authorization checks in two AJAX actions within the Filr WordPress plugin. These actions can be called by any authenticated user, including those with minimal permissions like subscribers. Although the actions are protected by a nonce, this nonce is leaked on the dashboard, potentially allowing attackers to upload arbitrary HTML files or delete files, either all of them or specific ones.

Recommendations For versions prior to 1.2.2.1, update to version 1.2.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the dashboard to prevent the nonce leak, or disable the two vulnerable AJAX actions until a patch is applied.