Lucene search

[email protected]NVD:CVE-2024-7031

HistoryAug 03, 2024 - 9:15 a.m.

CVE-2024-7031

2024-08-0309:15:30

CWE-862

[email protected]

web.nvd.nist.gov

file manager pro

filester plugin

wordpress

vulnerability

cve-2024-7031

unauthorized modification

data

missing capability check

njt_fs_savesettingrestrictions

authenticated attackers

role permissions

administrator

plugin settings

user role restrictions

file types

.php

uploaded

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

24.0%

JSON

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘njt_fs_saveSettingRestrictions’ function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role that has been granted permissions by an Administrator, to update the plugin settings for user role restrictions, including allowing file types such as .php to be uploaded.

References

plugins.trac.wordpress.org/browser/filester/trunk/includes/File_manager/FileManager.php#L566

plugins.trac.wordpress.org/changeset/3129722/

www.wordfence.com/threat-intel/vulnerabilities/id/aef584bd-60a5-4bf2-b8d3-58e3b45e785e?source=cve

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

24.0%

JSON

Related for NVD:CVE-2024-7031

vulnrichment1 cve1 cvelist1 wordfence1