WordPress Plugin Vulnerabilities

File Manager < 7.2.8 - Missing Authorization

Description

The File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mk_file_manager_backup_callback function in versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger backups

Affects Plugins

Plugin icon
wp-file-manager
Fixed in 7.2.8

References

CVE
CVE-2024-37254
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/88db56a6-8e4c-4ef8-b51a-a2744c3132e2

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
05d82b75-f4b8-432e-bfbc-65edcd1c4376

Timeline

Publicly Published
2024-06-27 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2023-10-25
Title
YITH WooCommerce Product Add-Ons < 4.2.1 - Missing Authorization
Published
2025-05-16
Title
WooCommerce POS < 1.7.9 - Missing Authorization
Published
2026-01-08
Title
Frontend Admin by DynamiApps < 3.28.26 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element
Published
2022-08-25
Title
Event Calendar < 1.4.7 - Unauthenticated Arbitrary Event Deletion
Published
2025-10-14
Title
WhyDonate – FREE Donate button – Crowdfunding – Fundraising < 4.0.16 - Missing Authorization to Unauthenticated wp_wdplugin_style Rww Deletion