Platform
wordpress
Component
file-manager-pro
Fixed in
8.3.8
CVE-2024-7559 is an arbitrary file access vulnerability affecting the File Manager Pro plugin for WordPress. This vulnerability allows authenticated attackers, even those with Subscriber-level access, to upload arbitrary files to the server, potentially enabling remote code execution. The vulnerability exists in versions up to and including 8.3.7, and a patch is available to address the issue.
An attacker exploiting CVE-2024-7559 can upload malicious files, such as web shells, to the WordPress server. Successful upload and execution of such a file could grant the attacker complete control over the affected website, including the ability to modify content, steal sensitive data (user credentials, database information), and potentially pivot to other systems on the network. The impact is amplified if the WordPress site hosts sensitive data or is part of a larger infrastructure. The requirement for authenticated access, while limiting the scope, still poses a significant risk, as Subscriber-level users are often present on WordPress sites.
CVE-2024-7559 was publicly disclosed on August 23, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation and the wide usage of WordPress plugins make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. The lack of immediate exploitation does not diminish the risk, as attackers often take time to develop and deploy exploits.
Exploit Status
EPSS
12.80% (94% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-7559 is to immediately upgrade the File Manager Pro plugin to a version higher than 8.3.7. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file upload permissions for Subscriber-level users within WordPress. Implement a Web Application Firewall (WAF) rule to block requests to the mkfilefolder_manager AJAX action with suspicious file extensions (e.g., .php, .exe, .asp). Regularly scan the WordPress installation for unauthorized files and monitor server logs for unusual file upload activity.
Actualice el plugin File Manager Pro a la última versión disponible. La vulnerabilidad permite la subida de archivos arbitrarios, lo que podría llevar a la ejecución remota de código. La actualización corrige la falta de validación de tipos de archivo y comprobaciones de capacidad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-7559 is a vulnerability in the File Manager Pro WordPress plugin allowing authenticated users to upload arbitrary files, potentially leading to remote code execution. It affects versions up to 8.3.7 and has a CVSS score of 8.8 (HIGH).
You are affected if you are using the File Manager Pro plugin in WordPress and have a version equal to or less than 8.3.7. Check your plugin version and upgrade immediately if necessary.
The recommended fix is to upgrade the File Manager Pro plugin to a version higher than 8.3.7. If immediate upgrade is not possible, consider temporary workarounds like restricting file upload permissions.
As of August 23, 2024, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the File Manager Pro plugin website and WordPress plugin directory for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.