WordPress Plugin Vulnerabilities

Advanced File Manager < 5.2.5 - Sensitive Information Exposure via Directory Listing

Description

The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder.

Affects Plugins

Plugin icon
file-manager-advanced
Fixed in 5.2.5

References

CVE
CVE-2024-5598
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9d4ff5ed-8857-46b8-942b-ac0f47880a95

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
b8c4f142-ea1b-4908-a94d-89305af70db2

Timeline

Publicly Published
2024-06-28 (about 1 year ago)
Added
2024-07-02 (about 1 year ago)
Last Updated
2024-07-02 (about 1 year ago)

Other

Published
Title
Published
2021-11-24
Title
Hide My WP < 6.2.4 - Unauthenticated Reset Token Disclosure
Published
2025-12-12
Title
Fix Media Library <= 2.0 - Unauthenticated Information Exposure
Published
2025-07-31
Title
SureDash < 1.2.0 - Authenticated (Subscriber+) Information Disclosure
Published
2021-12-13
Title
The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure
Published
2025-06-19
Title
ProfileGrid < 5.9.5.3 - Authenticated (Subscriber+) Full Path Disclosure