CVE-2024-7985: 
WordPress vulnerability analysis and mitigation

The FileOrganizer plugin for WordPress (versions up to 1.0.9) contains an arbitrary file upload vulnerability in the 'fileorganizerajaxhandler' function. This security flaw allows authenticated attackers with Subscriber-level access or higher, who have been granted permissions by an administrator, to upload arbitrary files to the affected site's server. The vulnerability was discovered and disclosed in October 2024 (NVD, FortiGuard).

The vulnerability stems from missing file type validation in the 'fileorganizerajaxhandler' function. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H by NVD, while Wordfence assigned a score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

Successful exploitation of this vulnerability could lead to remote code execution on the affected server. The vulnerability requires the FileOrganizer Pro plugin to be installed and active for Subscriber+ users to upload files, potentially allowing attackers to gain control of vulnerable systems (FortiGuard).

The vulnerability has been patched in version 1.1.0 of the FileOrganizer plugin. Site administrators should update to this version immediately to protect against potential attacks. The update includes additional checks for file uploading as part of the security improvements (WordPress Changeset).