A critical vulnerability (CVE-2024-11391) has been identified in the Advanced File Manager plugin for WordPress, affecting versions up to and including 5.2.10.
This flaw allows authenticated attackers with Subscriber-level access and specific permissions granted by an Administrator to upload arbitrary files to the server. Exploiting this vulnerability can potentially lead to Remote Code Execution (RCE), enabling attackers to compromise the website entirely.
Key Details:
- Affected Plugin: Advanced File Manager for WordPress
- Affected Versions: 5.2.10 and earlier
- Vulnerability Type: Arbitrary File Upload
- File Involved: class_fma_connector.php
- Severity: High (7.5)
- Published Date: December 3, 2024
How Does the Exploit Work?
An attacker can exploit this vulnerability by uploading a malicious file via the vulnerable class_fma_connector.php file in the plugin. Since the plugin lacks proper file type validation, the attacker can bypass restrictions and upload files containing executable code, such as a PHP web shell.
Once the file is uploaded to the server, the attacker can directly execute it by accessing the file’s URL. This allows them to run arbitrary commands on the server, potentially leading to remote code execution (RCE). From there, they can compromise the website, steal sensitive data, or establish backdoor access.
Risk Assessment:
The vulnerability is classified as High severity with the following scores:
- CVSS v3: 7.5 (Vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
- CVSS v2: 7.1 (Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C)
This exploit requires low-privilege users with specific permissions, combined with a high degree of attacker skill (AC:H). However, its potential for RCE makes it a severe risk for WordPress site administrators using the affected plugin.
Mitigation and Recommendations:
- Update the Plugin: Ensure the Advanced File Manager plugin is updated to the latest version (or uninstall if a patched version is unavailable).
- Review Permissions: Limit permissions granted to Subscriber-level and other low-privilege roles. Avoid assigning unnecessary file management capabilities.
- Monitor for Indicators of Compromise (IoCs):
- Unusual file uploads or modifications on the server.
- Unexpected changes to website behavior or performance.
Vulnerabilities in WordPress plugins are very common, so it’s crucial for administrators to regularly audit and update their plugins, implement strong security measures, and stay informed about newly discovered vulnerabilities.
Sign up to receive the latest vulnerability updates from the OP Innovate Research Team straight to your inbox.
