cleantalk
Vulnerabilities and Security Researches

File Manager, CVE-2024-1538

CVE, Research URL

CVE-2024-1538

Home page URL

Security reports for File Manager

Application

File Manager

Published on
Mar 21, 2024
Research Description
The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.
Affected versions
Min -, max 7.2.5.
Status
vulnerable
Previous vulnerability researches
File Manager (CVE-2024-37254) , Jul 01, 2024
File Manager (CVE-2018-16966) , Jun 06, 2024
File Manager (CVE-2024-0761) , Jun 06, 2024
File Manager (CVE-2023-6825) , Jun 06, 2024
File Manager (CVE-2021-24177) , Jun 06, 2024
New vulnerability
Football Pool (CVE-2025-5490) , Jun 20, 2025
CubeWP Forms – LeadGen & Contact Form (CVE-2025-49880) , Jun 20, 2025
WP2LEADS | WordPress und KlickTipp einfach verbinden – WooCommerce und KlickTipp einfach verbinden (CVE-2025-49316) , Jun 20, 2025
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit (CVE-2025-1562) , Jun 20, 2025
eCommerce Product Catalog Plugin for WordPress (CVE-2025-49331) , Jun 20, 2025