FileOrganizer < 1.1.0 – Authenticated (Subscriber+) Arbitrary File Upload | CVE 2024-7985 | Plugin Vulnerabilities

Description

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: The FileOrganizer Pro plugin must be installed and active to allow Subscriber+ users to upload files.

Affects Plugins

Fixed in 1.1.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f79164c2-be3b-496d-b747-3e4b60b7fc2b

Miscellaneous

Original Researcher

TANG Cheuk Hei (siunam)

Verified

No

WPVDB ID

fefe0d93-2448-48c0-a9a1-af080c197683

Timeline

Publicly Published

2024-10-29 (about 1 year ago)

Added

2024-10-29 (about 1 year ago)

Last Updated

2024-10-29 (about 1 year ago)

Other

Published

Title

Published

2023-11-06

Title

Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload

Published

2023-12-27

Title

JVM rich text icons < 1.2.4 - Subscriber+ Arbitrary File Upload

Published

2026-05-01

Title

User Registration Advanced Fields < 1.6.21 - Unauthenticated Arbitrary File Upload

Published

2025-10-29

Title

WavePlayer < 3.8.0 - Unauthenticated Arbitrary File Upload

Published

2024-11-22

Title

WPGYM < 67.2.0 - Unauthenticated Arbitrary File Upload