The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The FileOrganizer WordPress plugin before version 1.2.0 contains an authentication bypass vulnerability that enables authenticated users with file-manager access to upload arbitrary PHP files and execute remote code on vulnerable servers. This represents a critical risk for WordPress installations using the plugin, particularly those with the premium add-on that extends file-manager permissions to sub-administrator roles. While CVE-2024-7985 attempted to patch file-type validation in the upload operation, this vulnerability demonstrates that validation was incomplete across multiple file-management operations, leaving the attack surface exposed. Organizations relying on this plugin face immediate risk of server compromise, data exfiltration, and lateral movement within their infrastructure.
Practitioners using Casky.ai would detect the attack patterns underlying this vulnerability through skills aligned with Execution and Defense Evasion techniques. The core pattern involves Abuse of Elevation Control Mechanism (T1548) combined with Unrestricted Upload of File with Dangerous Type (T1190-adjacent behavior), where authenticated users bypass file-type restrictions to achieve Code Execution (T1059). Casky's extended reasoning capabilities would flag suspicious file-manager activity including PHP file creation attempts, multiple failed validation checks, and post-upload code execution patterns. Security teams would observe findings highlighting the gap between authentication context (legitimate user access) and authorization scope (ability to upload executable files), along with indicators of post-exploitation activity such as new process creation or reverse shell connections originating from the web application.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11962. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation