CVE-2024-11391: Advanced File Manager <= 5.2.10 - Authenticated (Subscriber+) Arbitrary File Upload

7.5 CVSS

Description

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Classification

CVE ID: CVE-2024-11391

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

Affected Products

Vendor: modalweb

Product: Advanced File Manager

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 21.56% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f14a658c-1517-4af4-8bd7-c379ac07ab35?source=cve
https://plugins.trac.wordpress.org/changeset/3199242/

Timeline

2024-12-04 00:11:22 UTC
CVE

Advanced File Manager <= 5.2.10 - Authenticated (Subscriber+) Arbitrary File Upload