CVE-2024-7627

The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions.
Configurations

Configuration 1 (hide)

cpe:2.3:a:bitapps:file_manager:*:*:*:*:*:wordpress:*:*

History

11 Sep 2024, 16:31

Type Values Removed Values Added
CPE cpe:2.3:a:bitapps:file_manager:*:*:*:*:*:wordpress:*:*
CWE CWE-362
First Time Bitapps
Bitapps file Manager
References () https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L39 - () https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L39 - Product
References () https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L88 - () https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L88 - Product
References () https://plugins.trac.wordpress.org/changeset/3138710/ - () https://plugins.trac.wordpress.org/changeset/3138710/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/5f29de7a-3f15-4b6d-aad7-6a08151e2113?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/5f29de7a-3f15-4b6d-aad7-6a08151e2113?source=cve - Third Party Advisory

05 Sep 2024, 12:53

Type Values Removed Values Added
Summary
  • (es) El complemento Bit File Manager para WordPress es vulnerable a la ejecución remota de código en las versiones 6.0 a 6.5.5 a través de la función 'checkSyntax'. Esto se debe a que se escribe un archivo temporal en un directorio de acceso público antes de realizar la validación del archivo. Esto hace posible que atacantes no autenticados ejecuten código en el servidor si un administrador ha otorgado permisos de lectura a usuarios invitados.

05 Sep 2024, 03:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-05 03:15

Updated : 2024-09-11 16:31


NVD link : CVE-2024-7627

Mitre link : CVE-2024-7627

CVE.ORG link : CVE-2024-7627


JSON object : View

Products Affected

bitapps

  • file_manager
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-94

Improper Control of Generation of Code ('Code Injection')