Vulnerabilites related to bitpressadmin - Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
CVE-2024-8743 (GCVE-0-2024-8743)
Vulnerability from cvelistv5
Published
2024-10-05 06:44
Modified
2024-10-07 15:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bitpressadmin | Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress |
Version: * ≤ 6.5.7 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bitapps:file_manager:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "file_manager",
"vendor": "bitapps",
"versions": [
{
"lessThan": "6.5.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T15:57:45.966898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T15:57:49.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress",
"vendor": "bitpressadmin",
"versions": [
{
"lessThanOrEqual": "6.5.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TANG Cheuk Hei"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-05T06:44:10.696Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/314520d5-bd9d-46c1-b903-5e5cb3bb3417?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3161219/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-04T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress \u003c= 6.5.7 - Authenticated (Subscriber+) Limited JavaScript File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8743",
"datePublished": "2024-10-05T06:44:10.696Z",
"dateReserved": "2024-09-11T21:44:52.570Z",
"dateUpdated": "2024-10-07T15:57:49.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7770 (GCVE-0-2024-7770)
Vulnerability from cvelistv5
Published
2024-09-10 10:59
Modified
2024-09-10 13:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bitpressadmin | Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress |
Version: * ≤ 6.5.5 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bitpressadmin:bit_file_manager_wordpress:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bit_file_manager_wordpress",
"vendor": "bitpressadmin",
"versions": [
{
"lessThanOrEqual": "6.5.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T13:22:42.916828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T13:25:39.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress",
"vendor": "bitpressadmin",
"versions": [
{
"lessThanOrEqual": "6.5.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TANG Cheuk Hei"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the \u0027upload\u0027 function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T10:59:05.034Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cae7702-e531-45b9-9131-42edbc073a07?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Http/Controllers/FileManagerController.php#L26"
},
{
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/libs/elFinder/php/elFinderConnector.class.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/libs/elFinder/php/elFinder.class.php#L1210"
},
{
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/libs/elFinder/php/elFinder.class.php#L3257"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3138710/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress \u003c= 6.5.5 - Authenticated (Subscriber+) Arbitrary File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7770",
"datePublished": "2024-09-10T10:59:05.034Z",
"dateReserved": "2024-08-13T19:11:05.331Z",
"dateUpdated": "2024-09-10T13:25:39.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1725 (GCVE-0-2025-1725)
Vulnerability from cvelistv5
Published
2025-06-03 08:21
Modified
2025-06-03 13:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bitpressadmin | Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress |
Version: * ≤ 6.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T13:28:33.565708Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T13:28:41.470Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress",
"vendor": "bitpressadmin",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TANG Cheuk Hei"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T08:21:52.457Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/84ddb481-f989-4ba8-9925-e8327c30de38?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/file-manager/tags/6.6.3/backend/app/Http/Controllers/FileManagerController.php#L112"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-25T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-06-02T20:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress \u003c= 6.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Uploads"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1725",
"datePublished": "2025-06-03T08:21:52.457Z",
"dateReserved": "2025-02-26T17:58:14.600Z",
"dateUpdated": "2025-06-03T13:28:41.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7627 (GCVE-0-2024-7627)
Vulnerability from cvelistv5
Published
2024-09-05 02:04
Modified
2024-09-05 13:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bitpressadmin | Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress |
Version: 6.0 ≤ 6.5.5 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bitapps:file_manager:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "file_manager",
"vendor": "bitapps",
"versions": [
{
"lessThanOrEqual": "6.5.5",
"status": "affected",
"version": "6.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:32:30.809272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:32:49.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bit File Manager \u2013 100% Free \u0026 Open Source File Manager and Code Editor for WordPress",
"vendor": "bitpressadmin",
"versions": [
{
"lessThanOrEqual": "6.5.5",
"status": "affected",
"version": "6.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TANG Cheuk Hei"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the \u0027checkSyntax\u0027 function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T02:04:24.643Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f29de7a-3f15-4b6d-aad7-6a08151e2113?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3138710/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-04T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Bit File Manager 6.0 - 6.5.5 - Unauthenticated Remote Code Execution via Race Condition"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7627",
"datePublished": "2024-09-05T02:04:24.643Z",
"dateReserved": "2024-08-08T19:42:34.617Z",
"dateUpdated": "2024-09-05T13:32:49.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}