WordPress Plugin Vulnerabilities

Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access

Description

The plugin does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary files and folders on the server.

Proof of Concept

Affects Plugins

Plugin icon
file-manager-advanced
Fixed in 5.1.1

References

CVE
CVE-2023-3814

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Dmitrii
Submitter
Dmitrii
Submitter website
https://blog.cleantalk.org
Verified
Yes
WPVDB ID
ca954ec6-6ebd-4d72-a323-570474e2e339

Timeline

Publicly Published
2023-08-14 (about 2 years ago)
Added
2023-08-14 (about 2 years ago)
Last Updated
2023-08-14 (about 2 years ago)

Other

Published
Title
Published
2021-04-15
Title
User Rights Access Manager < 1.0.4 - Improper Access Controls
Published
2021-10-18
Title
Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access
Published
2020-11-06
Title
WooCommerce < 4.6.2 - Guest Account Creation
Published
2022-03-29
Title
Flo Launch < 2.4.1 - Missing Authentication Allow Full Site Takeover
Published
2021-08-18
Title
Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls