CVE-2024-7985

Name of the Vulnerable Software and Affected Versions: The FileOrganizer – Manage WordPress and Website Files plugin for WordPress versions up to, and including, 1.0.9

Description: The issue is related to arbitrary file uploads due to missing file type validation in the fileorganizer ajax handler function. This allows authenticated attackers with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server, potentially making remote code execution possible. The FileOrganizer Pro plugin must be installed and active for Subscriber+ users to upload files.

Recommendations: For versions up to, and including, 1.0.9, consider disabling the fileorganizer ajax handler function until a patch is available to prevent arbitrary file uploads. Additionally, restrict permissions for Subscriber-level users and above to minimize the risk of exploitation.