High Severity Arbitrary File Upload Vulnerability Patched in File Manager Pro WordPress Plugin
On December 14th, 2023, shortly after the launch of our Holiday Bug Extravaganza, we received a submission for an Arbitrary File Upload vulnerability in File Manager Pro, a WordPress plugin with an estimated 10,000+ active installations. This vulnerability made it possible for authenticated attackers to create a PHP file that could contain malicious content and be used for complete site takeover.
Props to Tobias Weißhaar who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $657.00 for this discovery during our Bug Bounty Program Extravaganza. Although the installation count would typically place this vulnerability out of scope for our bug bounty program, the severity and ease of exploitation combined with the much larger installation count of the free version of the plugin warranted some flexibility.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on January 8, 2024. Sites still using the free version of Wordfence will receive the same protection on February 7, 2024.
We contacted the File Manager developer team on December 14th, 2023, and received a response on December 15th, 2023. After providing full disclosure details, the developer released a patch on January 8th, 2024.
We urge users to update their sites with the latest patched version of File Manager Pro, version 8.3.5 at the time of this writing, as soon as possible.
Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through February 29th, 2024!
Vulnerability Summary from Wordfence Intelligence
Description: File Manager Pro
Source: wordfence.com