CVE-2024-7559

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Aug 23, 2024 / Updated: 2mo ago

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This vulnerability affects authenticated users with Subscriber-level access and above.

Impact

This vulnerability allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server. This could potentially lead to remote code execution, compromising the integrity, confidentiality, and availability of the system. The CVSS v3.1 base score is 8.8 (High), indicating a severe vulnerability with potential for significant damage.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects "all versions up to, and including, 8.3.7" of the File Manager Pro plugin, it is likely that a patched version (8.3.8 or higher) may be available or forthcoming. The security team should check for updates to the File Manager Pro plugin and apply them as soon as they become available.

Mitigation

1. Update the File Manager Pro plugin to a version newer than 8.3.7 if available. 2. If an update is not available, consider temporarily disabling the File Manager Pro plugin until a patch is released. 3. Implement strict access controls to limit the number of users with Subscriber-level access or higher. 4. Monitor and audit file uploads on the WordPress site for any suspicious activity. 5. Implement additional security measures such as Web Application Firewalls (WAF) to help detect and prevent malicious file uploads. 6. Regularly review and validate user permissions, especially for roles that have the ability to upload files.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7559. See article

Aug 23, 2024 at 2:41 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 23, 2024 at 2:41 AM
Static CVE Timeline Graph

Affected Systems

Filemanagerpro/file_manager
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (August 19, 2024 to August 25, 2024)
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
Security bulletin - 28 Aug 2024 - Cyber Security Agency of Singapore
Security bulletin - 28 Aug 2024 Cyber Security Agency of Singapore
CVE-2024-7559
High Severity Description The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Read more at https://www.tenable.com/cve/CVE-2024-7559
High - CVE-2024-7559 - The File Manager Pro plugin for WordPress is...
The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions...
CVE-2024-7559
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI