The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 01 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Advancedfilemanager
Advancedfilemanager advanced File Manager
CPEs cpe:2.3:a:advancedfilemanager:advanced_file_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Advancedfilemanager
Advancedfilemanager advanced File Manager

Thu, 26 Sep 2024 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Modalweb
Modalweb advanced File Manager
CPEs cpe:2.3:a:modalweb:advanced_file_manager:*:*:*:*:*:*:*:*
Vendors & Products Modalweb
Modalweb advanced File Manager
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 26 Sep 2024 11:00:00 +0000

Type Values Removed Values Added
Description The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.
Title Advanced File Manager <= 5.2.8 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2024-09-26T13:02:43.660Z

Reserved: 2024-08-23T18:23:32.345Z

Link: CVE-2024-8126

cve-icon Vulnrichment

Updated: 2024-09-26T13:02:39.495Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-26T11:15:11.140

Modified: 2024-10-01T14:14:25.020

Link: CVE-2024-8126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.