The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.
Project Subscriptions
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 06 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Mon, 06 Jul 2026 08:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Fileorganizer
Fileorganizer fileorganizer Wordpress Wordpress wordpress |
|
| Vendors & Products |
Fileorganizer
Fileorganizer fileorganizer Wordpress Wordpress wordpress |
Mon, 06 Jul 2026 07:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation. | |
| Title | FileOrganizer < 1.2.0 - Authenticated Arbitrary File Upload via elFinder File Operations | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-06T12:14:33.831Z
Reserved: 2026-06-11T08:10:42.468Z
Link: CVE-2026-11962
Updated: 2026-07-06T12:14:29.453Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-06T08:30:04Z
Weaknesses
No weakness.