CVE-2024-12331
📋 TL;DR
The File Manager Pro – Filester WordPress plugin has an authorization bypass vulnerability that allows authenticated users with Subscriber-level permissions or higher to install the Filebird plugin without proper authorization. This affects all WordPress sites using Filester plugin versions up to 1.8.6. Attackers can abuse this to install potentially malicious plugins.
💻 Affected Systems
- File Manager Pro – Filester WordPress plugin
📦 What is this software?
Filester by Ninjateam
⚠️ Risk & Real-World Impact
Worst Case
An attacker with subscriber access installs a malicious plugin that provides backdoor access, leading to complete site compromise, data theft, or ransomware deployment.
Likely Case
Attackers install Filebird plugin to gain additional file management capabilities, potentially leading to unauthorized file uploads, modification, or deletion.
If Mitigated
With proper user role management and monitoring, impact is limited to unauthorized plugin installation which can be detected and reversed.
🎯 Exploit Status
Exploitation requires authenticated access but is simple to execute once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.7
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3208858/filester
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'File Manager Pro – Filester' and check for updates. 4. Update to version 1.8.7 or higher. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Filester plugin until patched
wp plugin deactivate filester
Restrict user roles
allRemove Subscriber roles from untrusted users and review all user accounts
wp user list --role=subscriber --field=ID
wp user delete [ID] --reassign=[admin_ID]
🧯 If You Can't Patch
- Implement strict user role management and review all accounts with Subscriber access
- Enable WordPress security plugins with file integrity monitoring and user activity logging
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → File Manager Pro – Filester version. If version is 1.8.6 or lower, you are vulnerable.Check Version:
wp plugin get filester --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.8.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- WordPress logs showing plugin installation events from non-admin users
- Unexpected Filebird plugin installation in plugin directory
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=ajax_install_plugin from non-admin IPs
SIEM Query:
source="wordpress.log" AND "ajax_install_plugin" AND user_role!="administrator"