CVE-2024-1538

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Mar 21, 2024

Summary

CVE-2024-1538 is a Cross-Site Request Forgery vulnerability affecting the File Manager plugin for WordPress. The flaw exists due to the lack of proper nonce validation on the wp_file_manager page, allowing unauthenticated attackers to include local JavaScript files. By tricking a site administrator into performing an action, such as clicking on a link, attackers can leverage this vulnerability to achieve Remote Code Execution (RCE). The issue was partially addressed in version 7.2.4, but fully patched in the subsequent release, 7.2.5.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/uh71EJ
https://www.cve.org/CVERecord?id=CVE-2024-1538
https://nvd.nist.gov/vuln/detail/CVE-2024-1538

Back to Vulnerability Database

CVE-2024-1538

CVSS 3.1 Score 8.8 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations