PT-2024-38419 · WordPress · File Manager Pro
Siunam
+1
·
Published
2024-08-22
·
Updated
2024-08-27
·
CVE-2024-7559
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
File Manager Pro plugin for WordPress versions up to, and including, 8.3.7
Description
The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the
mk file folder manager AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.Recommendations
For versions up to, and including, 8.3.7, upgrade to version 8.3.8 to mitigate risks. As a temporary workaround, consider restricting access to the
mk file folder manager AJAX action until the issue is resolved. Avoid using the File Manager Pro plugin until the upgrade is applied.Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
File Manager Pro