CVE-2024-7770
Published: 10 September 2024
Summary
CVE-2024-7770 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Bitapps File Manager. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Bit File Manager plugin for WordPress, a free file manager and code editor component, is affected by an arbitrary file upload vulnerability (CWE-434) in all versions through 6.5.5. The flaw stems from missing file type validation inside the upload function, which permits files to be written to the server without sufficient restrictions.
Authenticated attackers holding Subscriber-level access or higher can exploit the issue when an administrator has explicitly granted them upload permissions. Successful exploitation allows upload of arbitrary files to the site, which may enable remote code execution on the affected server and carries a CVSS 3.1 base score of 8.8.
A patch addressing the missing validation was released via changeset 3138710 in the plugin's repository, updating the relevant controller and elFinder integration code to enforce stricter upload handling in subsequent versions.
The EPSS score remains flat at 0.0551 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48636
Vulnerability details
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up…
more
to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.