Cyber Resilience

CVE-2024-7770

High

Published: 10 September 2024

Published
10 September 2024
Modified
26 September 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0551 90.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7770 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Bitapps File Manager. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Bit File Manager plugin for WordPress, a free file manager and code editor component, is affected by an arbitrary file upload vulnerability (CWE-434) in all versions through 6.5.5. The flaw stems from missing file type validation inside the upload function, which permits files to be written to the server without sufficient restrictions.

Authenticated attackers holding Subscriber-level access or higher can exploit the issue when an administrator has explicitly granted them upload permissions. Successful exploitation allows upload of arbitrary files to the site, which may enable remote code execution on the affected server and carries a CVSS 3.1 base score of 8.8.

A patch addressing the missing validation was released via changeset 3138710 in the plugin's repository, updating the relevant controller and elFinder integration code to enforce stricter upload handling in subsequent versions.

The EPSS score remains flat at 0.0551 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up…

more

to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bitapps
file manager
≤ 6.5.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References