The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in all versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers, if granted access to the File Manager by an administrator, to download and upload arbitrary backup files on the affected site's server which may make remote code execution possible.
References
Link | Resource |
---|---|
https://filemanagerpro.io/ | Product |
https://www.wordfence.com/threat-intel/vulnerabilities/id/88f1eb9a-f3bb-4b62-975f-a6cb95850966?source=cve | Third Party Advisory |
Configurations
History
17 Oct 2024, 18:22
Type | Values Removed | Values Added |
---|---|---|
References | () https://filemanagerpro.io/ - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/88f1eb9a-f3bb-4b62-975f-a6cb95850966?source=cve - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
CPE | cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:pro:wordpress:*:* | |
First Time |
Filemanagerpro
Filemanagerpro file Manager |
16 Oct 2024, 16:38
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
16 Oct 2024, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-16 07:15
Updated : 2024-10-17 18:22
NVD link : CVE-2024-8746
Mitre link : CVE-2024-8746
CVE.ORG link : CVE-2024-8746
JSON object : View
Products Affected
filemanagerpro
- file_manager
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type