CVE-2026-11962
Received Received - Intake

File Type Validation Bypass in FileOrganizer WordPress Plugin

Vulnerability report for CVE-2026-11962, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: WPScan

Description

The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access β€” which its premium add-on can extend to sub-administrator roles β€” to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, immediately update the FileOrganizer WordPress plugin to version 1.2.0 or later, as this version contains the fix that properly validates file types during all file-management operations.

Additionally, restrict file-manager access to trusted users only, especially if using the premium add-on that extends access to sub-administrator roles, to reduce the risk of arbitrary PHP file uploads.

Executive Summary

The FileOrganizer WordPress plugin before version 1.2.0 does not properly validate file types during several file-management operations. This flaw allows authenticated users with file-manager access, which can be extended to sub-administrator roles via a premium add-on, to upload arbitrary PHP files. Uploading these malicious PHP files can lead to remote code execution on the affected system.

This vulnerability is an incomplete fix of a previous issue (CVE-2024-7985) that only added file-type validation during the upload operation but missed other file-management tasks.

Impact Analysis

If exploited, this vulnerability allows an authenticated user with file-manager access to upload malicious PHP files, which can result in remote code execution. This means an attacker could execute arbitrary code on the server hosting the WordPress site, potentially leading to full system compromise, data theft, defacement, or further attacks within the network.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart