The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 19 May 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Filemanagerpro
Filemanagerpro file Manager
Weaknesses CWE-352
CPEs cpe:2.3:a:filemanagerpro:file_manager:*:*:*:*:free:wordpress:*:*
Vendors & Products Filemanagerpro
Filemanagerpro file Manager

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2024-08-05T20:10:01.569Z

Reserved: 2024-02-15T15:53:38.014Z

Link: CVE-2024-1538

cve-icon Vulnrichment

Updated: 2024-08-01T18:40:21.445Z

cve-icon NVD

Status : Analyzed

Published: 2024-03-21T04:15:09.117

Modified: 2025-05-19T13:47:57.760

Link: CVE-2024-1538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.