Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-2068

The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users.

Published

2023-06-27T14:15:10.477

Last Modified

2024-11-21T07:57:52.570

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	advancedfilemanager	file_manager_advanced_shortcode	≤ 2.3.2	Yes

References

http://packetstormsecurity.com/files/173735/WordPress-File-Manager-Advanced-Shortcode-2.3.2-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry ([email protected])
https://wpscan.com/vulnerability/58f72953-56d2-4d86-a49b-311b5fc58056 Exploit, Third Party Advisory ([email protected])
http://packetstormsecurity.com/files/173735/WordPress-File-Manager-Advanced-Shortcode-2.3.2-Remote-Code-Execution.html Exploit, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://wpscan.com/vulnerability/58f72953-56d2-4d86-a49b-311b5fc58056 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)