CVE-2024-12331 — Missing Authorization in Filester

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 59.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ninjateam Filester Ninjateam File Manager PRO Filester

Timeline

PublishedDec 19

Description

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ninjateam/file_manager_pro_filester1.8.6

▶NVDninjateam/filester< 1.8.7

🔴Vulnerability Details

GHSA

GHSA-449m-fffr-gjmh: The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax↗2024-12-19

▶

CVEList

File Manager Pro – Filester <= 1.8.6 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation↗2024-12-19

▶