CVE-2024-37254: 
WordPress vulnerability analysis and mitigation

The File Manager WordPress plugin contains a Missing Authorization vulnerability (CVE-2024-37254) that affects versions up to and including 7.2.7. The vulnerability was discovered by Rafie Muhammad and publicly disclosed on June 27, 2024. This security issue allows authenticated users with subscriber-level access and above to trigger unauthorized backup operations due to missing capability checks (WPScan, Patchstack).

The vulnerability stems from a missing capability check in the mkfilemanagerbackupcallback function, which fails to properly validate user permissions before allowing backup operations. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. It is classified as CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control (Patchstack).

The vulnerability allows authenticated attackers with subscriber-level access or higher to trigger unauthorized backup operations in the WordPress File Manager plugin. While the severity is considered low to medium, it represents a broken access control issue that could potentially be exploited to perform actions beyond the intended privilege level (WPScan).

The vulnerability has been fixed in version 7.2.8 of the File Manager plugin. Users are advised to update to this version or later to resolve the security issue. The patch priority is considered low, and virtual patching is deemed unnecessary (Patchstack).