PT-2024-38037 · WordPress · File Manager Pro – Filester
Bartek Nowotarski
·
Published
2024-08-03
·
Updated
2024-08-05
·
CVE-2024-7031
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
File Manager Pro – Filester plugin for WordPress versions up to, and including, 1.8.2
Description
The issue allows authenticated attackers with granted permissions by an Administrator to update plugin settings for user role restrictions. This is due to a missing capability check on the
njt fs saveSettingRestrictions function, making it possible to allow file types such as .php to be uploaded.Recommendations
For versions up to, and including, 1.8.2, update to a version that includes a fix for the missing capability check on the
njt fs saveSettingRestrictions function. As a temporary workaround, consider restricting access to the njt fs saveSettingRestrictions function to prevent unauthorized modification of data. Additionally, restrict the upload of file types such as .php to minimize the risk of exploitation.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
File Manager Pro – Filester