CVE-2023-3664: 
WordPress vulnerability analysis and mitigation

The FileOrganizer WordPress plugin through version 1.0.2 contains a critical security vulnerability identified as CVE-2023-3664. The vulnerability stems from improper access control restrictions in multisite instances, which allows site administrators to gain unauthorized full control over the server. This vulnerability was discovered by Dmitrii and was publicly disclosed on September 3, 2023. The issue affects all versions of the FileOrganizer plugin up to and including version 1.0.2, with a fix being implemented in version 1.0.3 (WPScan).

The vulnerability is classified as an Access Controls issue with a CVSS score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. It is categorized under CWE-284 (Improper Access Control) and maps to OWASP Top 10 category A5: Broken Access Control. The technical issue lies in the plugin's failure to properly implement access control restrictions in WordPress multisite environments, where regular site administrators can access functionality that should be restricted to super administrators (WPScan).

The vulnerability allows site administrators on multisite WordPress installations to gain full control over the server through the plugin's file management interface. This represents a significant privilege escalation as regular site administrators should not have this level of access to the server's file system (WPScan).

The vulnerability has been fixed in FileOrganizer version 1.0.3. Site owners are strongly advised to update to this version or later to address the security issue. If immediate updating is not possible, it is recommended to restrict access to the FileOrganizer plugin's functionality or temporarily disable it on multisite installations (WPScan).