CVE-2024-11010: 
WordPress vulnerability analysis and mitigation

The FileOrganizer – Manage WordPress and Website Files plugin for WordPress contains a Local JavaScript File Inclusion vulnerability (CVE-2024-11010) affecting all versions up to and including 1.1.4. This security flaw was discovered and reported by Wordfence in December 2024 (Wordfence Intel).

The vulnerability exists in the 'default_lang' parameter of the plugin, which allows authenticated attackers with Administrator-level access to include and execute arbitrary JavaScript files stored on the server. The severity of this vulnerability has been rated as HIGH with a CVSS v3.1 base score of 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The issue has been classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD Database).

If exploited, this vulnerability could allow attackers to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. The impact is particularly significant as it enables the execution of any JavaScript code contained within the included files (NVD Database).

The vulnerability affects all versions up to and including 1.1.4. Users are advised to update their FileOrganizer plugin to the latest version that includes the security fix. The fix can be found in the WordPress plugin repository (WordPress Plugin).