Arbitrary File Inclusion Vulnerability in Advanced File Manager Plugin for WordPress
CVE-2024-8704

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Advanced File Manager
Vendor: CVE Published:; 26 September 2024

What is CVE-2024-8704?

The Advanced File Manager plugin for WordPress is subject to a vulnerability that allows Local JavaScript File Inclusion. This security flaw affects all versions up to and including 5.2.8 and can be exploited by authenticated users with Administrator-level access. By manipulating the 'fma_locale' parameter, attackers can include and execute arbitrary files on the server, leading to unauthorized execution of PHP code. This vulnerability poses significant risks, such as bypassing access controls and exposing sensitive data, particularly when leveraging file uploads. Users and administrators are urged to review their plugin versions and implement necessary security measures.

Affected Version(s)

Advanced File Manager * <= 5.2.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/file-manager-a...

https://plugins.trac.wordpress.org/changeset/3157713/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 26, 2024
Vulnerability Reserved
Sep 11, 2024

Credit

TANG Cheuk Hei

Wordpress

What is CVE-2024-8704?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit