CVE-2022-3125
published 2022-10-03CVE-2022-3125: The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension…
PriorityP276high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.11%
61.9th percentile
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| najeebmedia | frontend_file_manager | < 21.3 | 21.3 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q6gp-rjmw-h7qw: The Frontend File Manager Plugin WordPress plugin before 21
ghsa_unreviewed·2022-10-04
CVE-2022-3125 [HIGH] CWE-434 GHSA-q6gp-rjmw-h7qw: The Frontend File Manager Plugin WordPress plugin before 21
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE
OSV
CVE-2022-3125: The Frontend File Manager Plugin WordPress plugin before 21
osv·2022-10-03·CVSS 8.8
CVE-2022-3125 [HIGH] CVE-2022-3125: The Frontend File Manager Plugin WordPress plugin before 21
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE
VulnCheck
najeebmedia frontend_file_manager Unrestricted Upload of File with Dangerous Type
vulncheck·2022·CVSS 8.8
CVE-2022-3125 [HIGH] najeebmedia frontend_file_manager Unrestricted Upload of File with Dangerous Type
najeebmedia frontend_file_manager Unrestricted Upload of File with Dangerous Type
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE
Affected: najeebmedia frontend_file_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/vulnerability/nmedia-user-file-uploader/wordpress-frontend-file-manager-plugin-21-2-authenticated-arbitrary-file-upload-vulnerability
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-10-03
Published
Exploited in the wild