VDB

CVE-2024-7985

CVE-2024-7985 PUBLISHED CVSS 7.5 HIGH

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: The FileOrganizer Pro plugin must be installed and active to allow Subscriber+ users to upload files.

EPSS 50.48% · 97.9th percentile

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
50.48%
97.9th percentile

Affected Products

VendorProductVersions
softaculousfileorganizer0
softaculousFileOrganizer – Manage WordPress and Website Files*
fileorganizerfileorganizer0

Timeline

  • Oct 29, 2024 Coalition ESS Score
  • Oct 29, 2024 CVE Published
  • Oct 30, 2024 EPSS Score
  • Nov 1, 2024 Coalition ESS Score
  • Nov 8, 2024 Coalition ESS Score
  • Dec 6, 2024 EPSS Score
  • Dec 24, 2024 EPSS Score
  • Jan 30, 2025 EPSS Score
  • Feb 17, 2025 EPSS Score
  • Mar 17, 2025 EPSS Score
  • Mar 20, 2025 EPSS Score
  • Mar 21, 2025 Coalition ESS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›