CVE-2026-11962
WordPress · FileOrganizer
The FileOrganizer WordPress plugin contains an Unrestricted Upload of File with Dangerous Type vulnerability, enabling authenticated users to upload arbitrary files to the server.
Executive summary
An Unrestricted File Upload vulnerability in the FileOrganizer WordPress plugin, rated 8.8, allows authenticated users to execute arbitrary code on the server.
Vulnerability
This vulnerability involves the unrestricted upload of files with dangerous types (CWE-434), which can be exploited by an authenticated attacker with low-level privileges to gain remote code execution on the underlying server.
Business impact
Exploitation of this vulnerability allows an attacker to upload malicious PHP scripts, leading to full server compromise, unauthorized access to the database, and potential lateral movement within the network. With a CVSS score of 8.8, the risk to confidentiality, integrity, and availability is severe, making it a critical priority for remediation.
Remediation
Immediate Action: Update the FileOrganizer plugin to version 1.2.0 or the latest available version immediately.
Proactive Monitoring: Audit the server’s file system for unexpected files, particularly in the uploads directory, and review user access logs for unusual file management activity.
Compensating Controls: Implement strict file type validation at the WAF level and disable the ability to execute scripts within the WordPress upload directory.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The ability for a low-privileged user to upload and execute arbitrary files is a critical security failure. Organizations using this plugin must prioritize the update to version 1.2.0 to eliminate the risk of remote code execution.