CVE-2024-8918

The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://filemanagerpro.io/	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/01ef62c8-e862-422c-948d-6d376d021c82?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:pro:wordpress:*:*

History

No history.

Information

Published : 2024-10-16 07:15

Updated : 2024-10-17 18:25

NVD link : CVE-2024-8918

Mitre link : CVE-2024-8918

CVE.ORG link : CVE-2024-8918

JSON object : View

Products Affected

filemanagerpro

file_manager

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-8918", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-10-16T07:15:16.777", "references": [{"url": "https://filemanagerpro.io/", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01ef62c8-e862-422c-948d-6d376d021c82?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting."}, {"lang": "es", "value": "El complemento File Manager Pro para WordPress es vulnerable a la carga limitada de archivos JavaScript en todas las versiones hasta la 8.3.9 incluida. Esto se debe a la falta de controles adecuados sobre los tipos de archivos permitidos. Esto hace posible que atacantes no autenticados, con permisos otorgados por un administrador, carguen archivos .css y .js, lo que podr\u00eda provocar cross-site scripting almacenado."}], "lastModified": "2024-10-17T18:25:46.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:pro:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "5B91CC02-A4F1-4F5B-914E-C9245A2B0965", "versionEndExcluding": "8.3.10"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}