CVE-2024-2324

Name of the Vulnerable Software and Affected Versions The FileOrganizer – Manage WordPress and Website Files plugin for WordPress versions up to, and including, 1.0.6

Description The issue is related to Stored Cross-Site Scripting via svg file upload due to insufficient input sanitization and output escaping. This allows authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability affects both the free and pro versions of the plugin, with the free version limited to exploitation by administrators, and the pro version also exploitable by lower-level users if certain functionality is enabled.

Recommendations For versions up to, and including, 1.0.6, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the svg file upload functionality until a patch is available. Additionally, restrict the ability of lower-level users to upload files in the pro version to minimize the risk of exploitation.