WordfenceCVELIST:CVE-2024-7627CVE-2024-7627 Bit File Manager 6.0 - 6.5.5 - Unauthenticated Remote Code Execution via Race Condition
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
23.6%
The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the ‘checkSyntax’ function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions.
CNA Affected
[
{
"vendor": "bitpressadmin",
"product": "Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress",
"versions": [
{
"version": "6.0",
"status": "affected",
"lessThanOrEqual": "6.5.5",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
]References
plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L39
plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L88
plugins.trac.wordpress.org/changeset/3138710/
www.wordfence.com/threat-intel/vulnerabilities/id/5f29de7a-3f15-4b6d-aad7-6a08151e2113?source=cve
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
23.6%