The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Fri, 23 Aug 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Filemanagerpro
Filemanagerpro file Manager Pro
CPEs cpe:2.3:a:filemanagerpro:file_manager_pro:*:*:*:*:*:wordpress:*:*
Vendors & Products Filemanagerpro
Filemanagerpro file Manager Pro
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 23 Aug 2024 02:45:00 +0000

Type Values Removed Values Added
Description The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title File Manager Pro <= 8.3.7 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-08-23T02:31:46.637Z

Updated: 2024-08-23T14:09:01.521Z

Reserved: 2024-08-06T14:09:23.803Z

Link: CVE-2024-7559

cve-icon Vulnrichment

Updated: 2024-08-23T14:08:53.139Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-08-23T03:15:04.060

Modified: 2024-08-23T16:18:28.547

Link: CVE-2024-7559

cve-icon Redhat

No data.