Plattform
wordpress
Komponente
fileorganizer
Behoben in
1.1.5
CVE-2024-11010 describes a Local File Inclusion (LFI) vulnerability affecting the FileOrganizer – Manage WordPress and Website Files plugin. An attacker with administrator privileges can leverage this flaw to include and execute arbitrary JavaScript files on the server. This vulnerability impacts versions of the plugin up to and including 1.1.4. A patch is expected from the vendor.
The primary impact of CVE-2024-11010 is the potential for an authenticated administrator to execute arbitrary JavaScript code within the WordPress environment. This can be achieved by manipulating the 'default_lang' parameter to include malicious JavaScript files. Successful exploitation allows attackers to bypass access controls, steal sensitive data stored within the WordPress installation (user credentials, database connection strings, API keys), and potentially achieve remote code execution. The ability to execute JavaScript code opens the door to a wide range of malicious activities, including defacing the website, injecting malware, and compromising the entire server.
CVE-2024-11010 was publicly disclosed on 2024-12-07. While no public proof-of-concept (PoC) code has been widely released, the ease of exploitation inherent in LFI vulnerabilities suggests a moderate risk of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The requirement for administrator privileges limits the immediate attack surface, but the potential impact warrants prompt remediation.
WordPress websites utilizing the FileOrganizer plugin, particularly those with administrator accounts that have weak passwords or are otherwise vulnerable to compromise, are at risk. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the exploitation of this vulnerability on other sites.
• wordpress / composer / npm:
grep -r 'default_lang' /var/www/html/wp-content/plugins/fileorganizer-manage-wordpress-and-website-files/• wordpress / composer / npm:
wp plugin list --status=all | grep fileorganizer• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/fileorganizer-manage-wordpress-and-website-files/ | grep default_langdisclosure
Exploit-Status
EPSS
0.30% (53% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate mitigation for CVE-2024-11010 is to upgrade the FileOrganizer plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting administrator access to the plugin's settings or disabling the 'defaultlang' parameter functionality. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious characters or patterns in the 'defaultlang' parameter. Monitor WordPress access logs for unusual activity, particularly requests containing unusual file paths or extensions.
Actualice el plugin FileOrganizer a la última versión disponible. La vulnerabilidad permite la inclusión de archivos JavaScript locales, lo que podría comprometer la seguridad del sitio web.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-11010 is a vulnerability in the FileOrganizer WordPress plugin that allows authenticated administrators to include and execute arbitrary JavaScript files, potentially leading to data theft or code execution.
You are affected if you are using the FileOrganizer plugin version 1.1.4 or earlier. Check your plugin versions and update immediately.
Update the FileOrganizer plugin to the latest available version. If an upgrade is not immediately possible, consider restricting access to the 'default_lang' parameter.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.