Description
Missing Authorization vulnerability in Saad Iqbal Advanced File Manager file-manager-advanced allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced File Manager: from n/a through <= 5.3.1.
Published: 2025-05-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Advanced File Manager plugin for WordPress contains a missing authorization flaw (CWE‑862) that lets a user dismiss important security notices without proper permissions. By dismissing these notices, an attacker can suppress warning messages and potentially gain access to functionality that is normally protected, effectively reducing security controls and allowing privileged actions to be performed by unauthorized users.

Affected Systems

Any WordPress site that installs the Saad Iqbal Advanced File Manager plugin, specifically versions up through and including 5.3.1, is vulnerable. The issue affects only the plugin, not the core WordPress installation, but any user who can load the plugin’s administrative interface may exploit the bug.

Risk and Exploitability

The overall severity is moderate, with a CVSS score of 5.3 and an EPSS indicate very low exploitation probability (<1%). The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been widely exploited. An attacker with any authenticated role that can access the plugin, or potentially a compromised account, may use the notice dismissal endpoint to bypass restrictions. The attack vector is likely through the web interface of the plugin, requiring only standard user access privileges.

Generated by OpenCVE AI on April 30, 2026 at 13:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Advanced File Manager plugin to the latest version available (greater than 5.3.1).
  • If an update is not immediately possible, remove or restrict user roles that have access to the plugin’s admin pages to prevent notice dismissal.
  • Audit user activity logs for unexpected notice dismissal events and investigate any anomalous actions.

Generated by OpenCVE AI on April 30, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13720 Missing Authorization vulnerability in Saad Iqbal Advanced File Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced File Manager: from n/a through 5.3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Saad Iqbal Advanced File Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced File Manager: from n/a through 5.3.1. Missing Authorization vulnerability in Saad Iqbal Advanced File Manager file-manager-advanced allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced File Manager: from n/a through <= 5.3.1.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00044}

 epss

{'score': 0.00046}

Fri, 23 May 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Advancedfilemanager
Advancedfilemanager advanced File Manager
CPEs cpe:2.3:a:advancedfilemanager:advanced_file_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Advancedfilemanager
Advancedfilemanager advanced File Manager

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Saad Iqbal Advanced File Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced File Manager: from n/a through 5.3.1.
Title WordPress Advanced File Manager plugin <= 5.3.1 - Broken Access Control to Notice Dismissal vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Advancedfilemanager Advanced File Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.688Z

Reserved: 2025-05-07T10:45:47.044Z

Link: CVE-2025-47688

cve-icon Vulnrichment

Updated: 2025-05-07T17:19:53.737Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:20.743

Modified: 2026-04-23T15:30:44.930

Link: CVE-2025-47688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:15:37Z

Weaknesses