CVE-2024-1538 - Vulnerability Details - OpenCVE

The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.04491.

Key SSVC decision points have not yet been added.

Vendors	Products
Filemanagerpro	File Manager

Configuration 1 [-]

cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:free:wordpress:*:*

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager
https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve

History

Mon, 19 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Filemanagerpro Filemanagerpro file Manager
Weaknesses		CWE-352
CPEs		cpe:2.3:a:filemanagerpro:file_manager:::::free:wordpress::
Vendors & Products		Filemanagerpro Filemanagerpro file Manager

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-03-21T03:32:42.789Z

Updated: 2024-08-05T20:10:01.569Z

Reserved: 2024-02-15T15:53:38.014Z

Link: CVE-2024-1538

Vulnrichment

Updated: 2024-08-01T18:40:21.445Z

NVD

Status : Analyzed

Published: 2024-03-21T04:15:09.117

Modified: 2025-05-19T13:47:57.760

Link: CVE-2024-1538

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1538", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-02-15T15:53:38.014Z", "datePublished": "2024-03-21T03:32:42.789Z", "dateUpdated": "2024-08-05T20:10:01.569Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-21T03:32:42.789Z"}, "affected": [{"vendor": "mndpsingh287", "product": "File Manager", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "7.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Daniel Holley"}], "timeline": [{"time": "2024-03-20T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.445Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "mndpsingh287", "product": "file_manager", "cpes": ["cpe:2.3:a:mndpsingh287:file_manager:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.2.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T20:08:49.659654Z", "id": "CVE-2024-1538", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T20:10:01.569Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:40:21.445Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1538", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-05T20:08:49.659654Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mndpsingh287:file_manager:*:*:*:*:*:*:*:*"], "vendor": "mndpsingh287", "product": "file_manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "7.2.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T20:09:54.943Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Daniel Holley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "mndpsingh287", "product": "File Manager", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-03-20T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager"}], "descriptions": [{"lang": "en", "value": "The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-21T03:32:42.789Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1538", "state": "PUBLISHED", "dateUpdated": "2024-08-05T20:10:01.569Z", "dateReserved": "2024-02-15T15:53:38.014Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-03-21T03:32:42.789Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:free:wordpress:*:*", "matchCriteriaId": "A98C0741-B27D-4281-A571-062A554E1E16", "versionEndExcluding": "7.2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5."}, {"lang": "es", "value": "El complemento File Manager para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 7.2.4 incluida. Esto se debe a una validaci\u00f3n nonce faltante o incorrecta en la p\u00e1gina wp_file_manager que incluye archivos a trav\u00e9s del par\u00e1metro 'lang'. Esto hace posible que atacantes no autenticados incluyan archivos JavaScript locales que pueden aprovecharse para lograr RCE a trav\u00e9s de una solicitud falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace. Este problema se solucion\u00f3 parcialmente en la versi\u00f3n 7.2.4 y por completo en la 7.2.5."}], "id": "CVE-2024-1538", "lastModified": "2025-05-19T13:47:57.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-03-21T04:15:09.117", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3051451/wp-file-manager"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/57cc15a6-2cf5-481f-bb81-ada48aa74009?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}