CVE-2024-7559

HIGH

Filemanagerpro.io File Manager Pro < 8.3.7 - Code Injection

Title source: rule

Description

The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

References (2)

Core 2

Core References

Product

https://filemanagerpro.io/file-manager-pro/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f4b45791-4b85-4a2d-8019-1d438bd694cb?source=cve

Scores

CVSS v3 8.8

EPSS 0.1280

EPSS Percentile 94.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434 CWE-94

Status published

Products (2)

File Manager/File Manager Pro < 8.3.7

filemanagerpro.io/file_manager_pro < 8.3.7

Published Aug 23, 2024

Tracked Since Feb 18, 2026