File Manager Pro – Filester < 1.8.7- Authenticated (Subscriber+) Arbitrary File Upload | CVE 2024-8066 | Plugin Vulnerabilities

Description

The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 1.8.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/27288836-e5d3-49fc-b1f6-319ea3b70839

Miscellaneous

Original Researcher

TANG Cheuk Hei (siunam)

Verified

No

WPVDB ID

b8a870dd-9719-4ceb-aba0-923739837d6e

Timeline

Publicly Published

2024-11-27 (about 1 year ago)

Added

2024-11-27 (about 1 year ago)

Last Updated

2025-01-04 (about 1 year ago)

Other

Published

Title

Published

2024-10-25

Title

Plugin Propagator <= 0.1 - Unauthenticated Arbitrary File Upload

Published

2025-09-01

Title

Clanora < 1.3.1 - Unauthenticated Arbitrary File Upload

Published

2017-03-07

Title

Webapp builder 2.0 - Unauthenticated File Upload

Published

2024-11-13

Title

CF7 Reply Manager <= 1.2.3 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2014-08-01

Title

Font Uploader 1.2.4 - Arbitrary File Upload