Advanced File Manager 5.2.12 – 5.2.13 – Subscriber+ Arbitrary File Upload | CVE 2024-13333 | Plugin Vulnerabilities

Description

The plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above and upload permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The function can be exploited only if the "Display .htaccess?" setting is enabled.

Affects Plugins

file-manager-advanced

Fixed in 5.2.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1c8bcbf8-1848-4f7a-89d8-5894de0bb18b

Miscellaneous

Original Researcher

TANG Cheuk Hei (siunam)

Verified

No

WPVDB ID

2f2776c3-24fb-4b5e-b74f-29b4269dc544

Timeline

Publicly Published

2025-01-16 (about 1 year ago)

Added

2025-01-17 (about 1 year ago)

Last Updated

2025-01-17 (about 1 year ago)

Other

Published

Title

Published

2025-09-09

Title

Responsive Filterable Portfolio < 1.0.25 - Authenticated (Admin+) Arbitrary File Upload

Published

2025-04-16

Title

Kadence WooCommerce Email Designer < 1.5.15 - Admin+ Arbitrary File Upload

Published

2025-04-03

Title

Woffice Core < 5.4.22 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2026-02-17

Title

Wiguard < 2.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2014-08-01

Title

Clockstone <= 1.2 - Arbitrary File Upload