WordPress Plugin Vulnerabilities

WP Media folder < 5.7.3 - Authenticated (Subscriber+) Arbitrary File Upload

Description

The WP Media folder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 5.7.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
wp-media-folder
Fixed in 5.7.3

References

CVE
CVE-2024-25909
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f5e4a172-38de-49d3-8a5d-62253cf6d67c

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
07da16e2-16be-48ee-9bbc-9bbb526acb0c

Timeline

Publicly Published
2024-02-15 (about 2 years ago)
Added
2024-03-22 (about 1 year ago)
Last Updated
2024-03-22 (about 1 year ago)

Other

Published
Title
Published
2025-01-16
Title
Advanced File Manager 5.2.12 - 5.2.13 - Subscriber+ Arbitrary File Upload
Published
2014-08-01
Title
Uploader 1.0.4 - Shell Upload
Published
2014-08-01
Title
Annonces 1.2.0.1 - admin/theme.php File Upload PHP Code Execution
Published
2025-11-07
Title
Alex Reservations: Smart Restaurant Booking < 2.2.4 - Authenticated (Admin+) Arbitrary File Upload
Published
2015-12-23
Title
NextGEN Gallery < 2.1.15 - Unrestricted File Upload