CVE-2024-8066 – The File Manager Pro – Filester WordPress plu... (How to Fix)

Q: What is the severity of CVE-2024-8066?

CVE-2024-8066 has a CVSS score of 7.5 (HIGH). The File Manager Pro – Filester WordPress plugin up to version 1.8.6 allows authenticated attackers with Subscriber-level access (and administrator-granted permissions) to upload arbitrary files, including .htaccess files, potentially leading to remote code execution. This affects all WordPress sites using vulnerable versions of the Filester plugin.

📋 TL;DR

The File Manager Pro – Filester WordPress plugin up to version 1.8.6 allows authenticated attackers with Subscriber-level access (and administrator-granted permissions) to upload arbitrary files, including .htaccess files, potentially leading to remote code execution. This affects all WordPress sites using vulnerable versions of the Filester plugin.

💻 Affected Systems

Products:

File Manager Pro – Filester WordPress plugin

Versions: All versions up to and including 1.8.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Subscriber role or higher AND administrator-granted plugin permissions.

📦 What is this software?

Filester by Ninjateam

View all CVEs affecting Filester →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full site compromise through remote code execution, data theft, defacement, or malware distribution.

🟠

Likely Case

Unauthorized file upload leading to backdoor installation, privilege escalation, or site manipulation.

🟢

If Mitigated

Limited impact if proper file validation and access controls prevent successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once permissions are granted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.7

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3186518/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'File Manager Pro – Filester'. 4. Click 'Update Now' if available, or manually update to version 1.8.7+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Filester plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate filester

Restrict file upload permissions

all

Limit which user roles can access the file manager functionality.

🧯 If You Can't Patch

Remove Subscriber role access to Filester plugin entirely.
Implement web application firewall rules to block .htaccess file uploads.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > File Manager Pro – Filester version. If version is 1.8.6 or lower, you are vulnerable.

Check Version:

wp plugin get filester --field=version

Verify Fix Applied:

Confirm plugin version is 1.8.7 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads via /wp-content/plugins/filester/
.htaccess file modifications in unexpected locations
POST requests to filester file manager endpoints

Network Indicators:

HTTP POST requests to /wp-content/plugins/filester/includes/File_manager/ with file upload parameters

SIEM Query:

source="web_logs" AND uri_path="/wp-content/plugins/filester/" AND method="POST" AND (form_data LIKE "%htaccess%" OR form_data LIKE "%php%" OR form_data LIKE "%shell%")

📊 Metadata

CVE ID: CVE-2024-8066

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: November 28, 2024

Last Updated: February 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8066, you might also want to check these: