CVE-2026-11962

WordPress · FileOrganizer

The FileOrganizer WordPress plugin contains an Unrestricted Upload of File with Dangerous Type vulnerability, enabling authenticated users to upload arbitrary files to the server.

Executive summary

An Unrestricted File Upload vulnerability in the FileOrganizer WordPress plugin, rated 8.8, allows authenticated users to execute arbitrary code on the server.

Vulnerability

This vulnerability involves the unrestricted upload of files with dangerous types (CWE-434), which can be exploited by an authenticated attacker with low-level privileges to gain remote code execution on the underlying server.

Business impact

Exploitation of this vulnerability allows an attacker to upload malicious PHP scripts, leading to full server compromise, unauthorized access to the database, and potential lateral movement within the network. With a CVSS score of 8.8, the risk to confidentiality, integrity, and availability is severe, making it a critical priority for remediation.

Remediation

Immediate Action: Update the FileOrganizer plugin to version 1.2.0 or the latest available version immediately.

Proactive Monitoring: Audit the server’s file system for unexpected files, particularly in the uploads directory, and review user access logs for unusual file management activity.

Compensating Controls: Implement strict file type validation at the WAF level and disable the ability to execute scripts within the WordPress upload directory.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The ability for a low-privileged user to upload and execute arbitrary files is a critical security failure. Organizations using this plugin must prioritize the update to version 1.2.0 to eliminate the risk of remote code execution.