WordPress Plugin Vulnerabilities

Advanced File Manager < 5.2.11 - Subscriber+ Arbitrary File Upload

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation via the 'class_fma_connector.php' file. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
file-manager-advanced
Fixed in 5.2.11

References

CVE
CVE-2024-11391
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f14a658c-1517-4af4-8bd7-c379ac07ab35

Miscellaneous

Original Researcher
Joshua Provoste
Verified
No
WPVDB ID
abf3208d-76f6-4037-b185-d2a6430bcfa3

Timeline

Publicly Published
2024-12-02 (about 1 year ago)
Added
2024-12-03 (about 1 year ago)
Last Updated
2024-12-03 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
seo-spy-google - ofc_upload_image.php Arbitrary File Upload
Published
2026-03-05
Title
Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.9.6 - Unauthenticated Arbitrary File Upload
Published
2024-07-09
Title
Business Card <= 1.0.0 - Admin+ File Upload
Published
2024-10-28
Title
AR For Woocommerce < 7.0 - Unauthenticated Arbitrary File Upload
Published
2024-11-11
Title
Boat Rental Plugin for WordPress <= 1.0.1 - Unauthenticated Arbitrary File Upload