WordPress Plugin Vulnerabilities

FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access

Description

The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control over the server.

Proof of Concept

Affects Plugins

Plugin icon
fileorganizer
Fixed in 1.0.3

References

CVE
CVE-2023-3664

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Dmitrii
Submitter
Dmitrii
Submitter website
https://blog.cleantalk.org/cve-2023-3664-fileorganizer/
Verified
Yes
WPVDB ID
d59e6eac-3ebf-40e0-800c-8cbef345423f

Timeline

Publicly Published
2023-09-03 (about 2 years ago)
Added
2023-08-30 (about 2 years ago)
Last Updated
2023-09-20 (about 2 years ago)

Other

Published
Title
Published
2025-10-24
Title
Tutor LMS < 3.9.0 - Missing Authorization to Sensitive Information Exposure
Published
2024-04-03
Title
CGC Maintenance Mode <= 1.2 - Sensitive Information Exposure
Published
2024-09-12
Title
MStore API – Create Native Android & iOS Apps On The Cloud < 4.15.4 - Unauthorized User Registration
Published
2025-02-03
Title
B Slider- Gutenberg Slider Block for WP < 1.1.24 - Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode
Published
2023-06-02
Title
VK Blocks < 1.57.1.0 - Contributor+ Settings Update via REST API