WordPress Plugin Vulnerabilities

FileOrganizer < 1.2.0 - Authenticated Arbitrary File Upload via elFinder File Operations

Description

The plugin does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.

Proof of Concept

Affects Plugins

Fixed in 1.2.0

References

Miscellaneous

Original Researcher
Revanth Hari Narayana Matte
Submitter
Revanth Hari Narayana Matte
Verified
Yes

Timeline

Publicly Published
2026-06-15 (about 21 days ago)
Added
2026-06-15 (about 20 days ago)
Last Updated
2026-07-03 (about 2 days ago)

Other