CVE-2021-24890: 
WordPress vulnerability analysis and mitigation

The Scripts Organizer WordPress plugin before version 3.0 contains a critical security vulnerability identified as CVE-2021-24890. The vulnerability was discovered by Ovidiu Maghetiu and publicly disclosed on September 5, 2022. This security flaw affects the saveScript AJAX action functionality in the plugin, which lacks proper capability and CSRF checks, making it accessible to both authenticated and unauthenticated users (WPScan).

The vulnerability stems from missing authorization controls and CSRF protections in the saveScript AJAX action. The plugin does not implement any input validation, allowing attackers to inject arbitrary PHP code into files on the server. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified under CWE-862 (Missing Authorization) and CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability allows unauthenticated users to upload arbitrary PHP files to the server through the wp-content/uploads/scripts-organizer/ directory. This could lead to complete server compromise as attackers can execute malicious PHP code on the affected system. The high CVSS score reflects the severe potential impact on the confidentiality, integrity, and availability of the affected systems (WPScan).

The vulnerability has been fixed in version 3.0 of the Scripts Organizer plugin. Website administrators are strongly advised to update to this version or later to protect their systems. If immediate updating is not possible, it is recommended to disable the plugin until the update can be applied (Scripts Organizer).