CVE-2024-1538

File Manager <= 7.2.4 - Cross-Site Request Forgery to Local JS File Inclusion

CVSS 8.8 HIGHEPSS 10.7%CWE-352

In short

The File Manager plugin for WordPress can be tricked into loading malicious local JavaScript files through a forged request. An attacker can craft a link that, when clicked by a site admin, executes code on the server.

Technical detail

Cross-Site Request Forgery vulnerability due to missing nonce validation on the wp_file_manager page's 'lang' parameter allows unauthenticated attackers to inject local JavaScript files. Exploitation requires social engineering (admin clicking a malicious link) but can result in Remote Code Execution once the file is included.

Summary generated and translated by AI from the official description.

The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

mndpsingh287 · File Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve