File Manager Pro – Filester < 1.8.7 – Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation | CVE 2024-12331 | Plugin Vulnerabilities

Description

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin.

Affects Plugins

Fixed in 1.8.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5b09bfff-4d6e-4de0-b6ab-6ac27c4f2be6

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

8e4eceb9-ff34-4a50-b0a4-208fea103d1d

Timeline

Publicly Published

2024-12-18 (about 1 year ago)

Added

2024-12-18 (about 1 year ago)

Last Updated

2024-12-19 (about 1 year ago)

Other

Published

Title

Published

2025-11-04

Title

CoSchedule < 3.4.1 - Missing Authorization

Published

2024-06-05

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.7 - Unauthenticated Payment Deletion via delete_payment

Published

2026-01-18

Title

AJAX Hits Counter + Popular Posts Widget <= 0.10.210305 - Missing Authorization

Published

2025-01-31

Title

Document Block – Upload & Embed Docs <= 1.1.0 - Missing Authorization

Published

2026-04-23

Title

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services < 7.9.9 - Missing Authorization