Description
The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.
Published:
2026-07-06
Score:
n/a
EPSS:
n/a
KEV:
No
Impact:
n/a
Action:
n/a
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Mon, 06 Jul 2026 08:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Fileorganizer
Fileorganizer fileorganizer Wordpress Wordpress wordpress |
|
| Vendors & Products |
Fileorganizer
Fileorganizer fileorganizer Wordpress Wordpress wordpress |
Mon, 06 Jul 2026 07:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation. | |
| Title | FileOrganizer < 1.2.0 - Authenticated Arbitrary File Upload via elFinder File Operations | |
| References |
|
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-06T06:00:01.869Z
Reserved: 2026-06-11T08:10:42.468Z
Link: CVE-2026-11962
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-06T08:30:04Z
Weaknesses
No weakness.