The FileOrganizer – WordPress File Manager plugin suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, SVG file uploads are not properly sanitized or escaped, enabling authenticated attackers to inject arbitrary web scripts. These scripts execute in the context of users viewing the affected pages. The vulnerability affects all versions up to 1.0.6. The free version limits exploitation to administrators, while the pro version can be exploited by users with lower privileges if enabled. The CVSS 3.1 vector indicates network attack vector, high attack complexity, high privileges required, no user interaction, and partial impact on confidentiality and integrity. No known exploits in the wild have been reported, and no patch or remediation details are provided by the vendor.

Successful exploitation allows authenticated users to inject persistent malicious scripts via SVG file uploads. This can lead to partial confidentiality and integrity impacts within the WordPress environment, such as session hijacking or unauthorized actions performed in the context of affected users. The impact is limited by the requirement for authentication and, in the free version, administrator privileges. The pro version potentially expands the attack surface to lower-privileged users if certain features are enabled.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict SVG file uploads and limit plugin usage to trusted administrators. Consider disabling or restricting the FileOrganizer plugin, especially the pro features that allow lower-privileged user uploads. Monitor for updates from softaculous regarding patches or official mitigations.