Interesting Cross-Site Request Forgery to Local JS File Inclusion Vulnerability Patched in File Manager WordPress Plugin

On February 15th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for a Cross-Site Request Forgery to Local JS File Inclusion vulnerability in File Manager, a WordPress plugin with more than 1,000,000+ active installations. This vulnerability can be leveraged to achieve Remote Code Execution (RCE) via a forged request, provided an attacker can trick a site administrator into performing an action such as clicking on a link.

Please note that while this vulnerability is unlikely to be targeted and exploited due to the prerequisites required to exploit it, we wanted to highlight the discovery of this researcher as this was a cleverly crafted exploit.

Props to 0xBishop who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $601.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Local File Inclusion protection.

Wordfence contacted WebDesi9 on February 16, 2024, and received a response on February 16, 2024. After providing full disclosure details, the developer released the first patch on February 28, 2024. A fully patched version, 7.2.5, was released on March 15, 2024. We would like to commend WebDesi9 for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of File Manager, which is version 7.2.5, as soon as possible.

Source and more details:

Posted in Vulnerability.