File Manager Advanced Shortcode <= Multiple Versions - Authenticated (Administrator+) Lokale JavaScript-Datei-Inklusion über Shortcode

An attacker exploiting this LFI vulnerability can leverage the 'filemanageradvanced' shortcode to include malicious JavaScript files. Because administrators have the ability to upload images and other seemingly safe file types, they can be included and executed, effectively bypassing access controls. This can lead to the theft of sensitive data stored on the WordPress server, including user credentials, database information, and potentially even system configuration files. The attacker could also achieve remote code execution, allowing them to take complete control of the affected WordPress instance. The impact is amplified in environments where the WordPress installation has weak security configurations or is running outdated plugins.

WordPress sites utilizing the File Manager Advanced Shortcode plugin, particularly those with administrator accounts that have access to the file management functionality, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.

• wordpress / plugin:

wp plugin list | grep 'File Manager Advanced Shortcode'

• wordpress / plugin: Check the plugin version. If it's <= 2.5.6, the system is vulnerable.

wp plugin list --status=active | grep 'File Manager Advanced Shortcode'

• wordpress / plugin: Examine WordPress logs for suspicious file inclusion attempts involving the 'filemanageradvanced' shortcode.

grep 'file_manager_advanced' /var/log/apache2/error.log

• wordpress / plugin: Review file upload directories for unexpected JavaScript files.

ls -l /path/to/wordpress/wp-content/uploads/

1. 2025-05-15Disclosure

   disclosure

1. Reserviert2025-03-01
2. Veröffentlicht2025-05-15
3. Geändert2025-07-01
4. EPSS aktualisiert2026-04-02

The primary mitigation for CVE-2024-13914 is to immediately upgrade the File Manager Advanced Shortcode plugin to version 2.6.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting administrator access to the file manager functionality. Web Application Firewalls (WAFs) configured to detect and block suspicious file inclusion attempts can provide an additional layer of protection. Monitor WordPress access logs for unusual file access patterns or JavaScript execution attempts. Implement strict file upload validation to prevent the upload of executable JavaScript files.