CVE-2024-7559
23.08.2024, 03:15
The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
| Vendor | Product | Version |
|---|---|---|
| filemanagerpro | file_manager_pro | 𝑥 ≤ 8.3.7 |
| filemanagerpro.io | file_manager_pro | 𝑥 ≤ 8.3.7 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- CWE-434 - Unrestricted Upload of File with Dangerous TypeThe software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.