Cyber Resilience

CVE-2023-4827

HighPublic PoC

Published: 16 October 2023

Published
16 October 2023
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0628 91.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4827 is a high-severity an unspecified weakness vulnerability in Ninjateam Filester. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The File Manager Pro WordPress plugin before version 1.8 is affected by CVE-2023-4827, a cross-site request forgery vulnerability. The plugin fails to properly validate the CSRF nonce for the fs_connector AJAX action, leaving the file system operations exposed to manipulation through unauthenticated requests.

An attacker can exploit the flaw by crafting malicious links or pages that, when visited by a highly privileged user such as an administrator, trigger arbitrary file system actions via GET requests. Successful exploitation can result in actions including the upload of a web shell, granting the attacker full control over the affected site with impacts rated high for confidentiality, integrity, and availability under a CVSS score of 8.8.

Public advisories published by WPScan detail the vulnerability and are available at the referenced URLs, indicating that the issue is resolved in plugin version 1.8 and later.

The associated EPSS score remains flat at 0.0628 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests,…

more

such as uploading a web shell.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ninjateam
filester
≤ 1.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References