CVE-2024-8918 — Unrestricted File Upload in File Manager

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

5.4MEDIUMNVD

CNA7.4

EPSS

0.9%

top 24.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Filemanagerpro File Manager File Manager PRO

Timeline

PublishedOct 16

Description

The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDfilemanagerpro/file_manager< 8.3.10

▶CVEListV5file_manager/file_manager_pro8.3.9

🔴Vulnerability Details

CVEList

File Manager Pro <= 8.3.9 - Unauthenticated Limited JavaScript File Upload↗2024-10-16

▶

GHSA

GHSA-fmq2-wx5c-p3mg: The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8↗2024-10-16

▶