Platform
wordpress
Component
fileorganizer
Fixed in
1.1.5
CVE-2024-11010 describes a Local JavaScript File Inclusion vulnerability affecting the FileOrganizer – Manage WordPress and Website Files plugin. This vulnerability allows authenticated attackers with administrator-level access to include and execute arbitrary JavaScript files on the server. Versions of the plugin up to and including 1.1.4 are affected. A fix is available via plugin update.
An attacker exploiting this vulnerability could leverage the 'default_lang' parameter to include and execute malicious JavaScript code. This could lead to a variety of attacks, including the theft of sensitive data stored within the WordPress environment, such as user credentials, database connection strings, or API keys. Furthermore, the attacker could potentially achieve remote code execution, allowing them to gain full control over the affected WordPress site. The ability to bypass access controls further amplifies the potential impact, enabling the attacker to perform actions they are not authorized to do.
This vulnerability was publicly disclosed on 2024-12-07. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, requiring only administrator access, suggests it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11010 is to immediately update the FileOrganizer plugin to a version that addresses the vulnerability. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider restricting access to the 'default_lang' parameter through server-level configuration or a WordPress security plugin. Carefully review any uploaded files to ensure they are legitimate and do not contain malicious code. After upgrading, confirm the vulnerability is resolved by attempting to access the vulnerable endpoint with a benign JavaScript payload and verifying that it is not executed.
Actualice el plugin FileOrganizer a la última versión disponible. La vulnerabilidad permite la inclusión de archivos JavaScript locales, lo que podría comprometer la seguridad del sitio web.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11010 is a vulnerability in the FileOrganizer WordPress plugin that allows authenticated administrators to include and execute arbitrary JavaScript files, potentially leading to data theft or code execution.
You are affected if you are using the FileOrganizer plugin version 1.1.4 or earlier. Check your plugin versions and update immediately.
Update the FileOrganizer plugin to the latest available version. If an upgrade is not immediately possible, consider restricting access to the 'default_lang' parameter.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.