File Manager Pro < 8.3.10 – Unauthenticated Backup File Download and Upload | CVE 2024-8746 | Plugin Vulnerabilities

Description

The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in all versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers, if granted access to the File Manager by an administrator, to download and upload arbitrary backup files on the affected site's server which may make remote code execution possible.

Affects Plugins

wp-file-manager-pro

Fixed in 8.3.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/88f1eb9a-f3bb-4b62-975f-a6cb95850966

Miscellaneous

Original Researcher

TANG Cheuk Hei (siunam)

Verified

No

WPVDB ID

1ec95b33-a1e9-4d6c-9666-fe065e9cff24

Timeline

Publicly Published

2024-10-15 (about 1 year ago)

Added

2024-10-15 (about 1 year ago)

Last Updated

2024-10-16 (about 1 year ago)

Other

Published

Title

Published

2025-04-25

Title

Crossword Compiler Puzzles < 5.3 - Subscriber+ Arbitrary File Upload

Published

2024-04-03

Title

BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin < 1.0.88 - Authenticated (Admin+) Arbitrary File Upload

Published

2025-11-24

Title

ProjectList <= 0.3.0 - Authenticated (Editor+) Arbitrary File Upload

Published

2025-10-31

Title

Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent < 1.3.33 - Unauthenticated Arbitrary File Upload

Published

2025-11-17

Title

Pie Forms for WP <= 1.6 - Unauthenticated Arbitrary File Upload