WordPress Plugin Vulnerabilities

FileOrganizer < 1.0.8 - Sensitive Information Exposure via Directory Listing

Description

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 via the 'fileorganizer_ajax_handler' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder.

Affects Plugins

Plugin icon
fileorganizer
Fixed in 1.0.8

References

CVE
CVE-2024-5599
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/78e7b65d-91f8-477e-b992-3148c1b65d7b

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
3ccc6d5c-5823-4211-9f7e-9763b1c9219e

Timeline

Publicly Published
2024-06-06 (about 1 year ago)
Added
2024-06-11 (about 1 year ago)
Last Updated
2024-06-11 (about 1 year ago)

Other

Published
Title
Published
2023-03-16
Title
WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure
Published
2024-04-05
Title
Subscribe To Comments Reloaded < 240119 - Unauthenticated Sensitive Information Exposure
Published
2025-11-04
Title
The Events Calendar < 6.15.10 - Unauthenticated Sensitive Information Exposure
Published
2022-03-09
Title
Booking Package < 1.5.29 - Unauthenticated Sensitive Data Disclosure
Published
2025-12-31
Title
Direct Payments WP <= 1.3.0 - Authenticated (Subscriber+) Sensitive Information Exposure