Plattform
wordpress
Komponente
file-manager-advanced
Behoben in
5.2.9
CVE-2024-8704 describes a Local File Inclusion (LFI) vulnerability affecting the Advanced File Manager plugin for WordPress. This vulnerability allows authenticated attackers with administrator-level access to include and execute arbitrary files on the server. Versions of the plugin up to and including 5.2.8 are affected. A patch is expected from the plugin developer.
The primary impact of this vulnerability is the potential for arbitrary code execution on the WordPress server. An authenticated administrator can leverage the 'fma_locale' parameter to include and execute any PHP code present on the server. This can lead to a complete compromise of the WordPress installation, including data exfiltration, modification of website content, and the installation of malicious software. Attackers could potentially gain full control of the server, depending on the file types they can upload and include. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to execute malicious code.
CVE-2024-8704 was publicly disclosed on 2024-09-26. The vulnerability is considered relatively easy to exploit given the requirement of only authenticated administrator access. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Advanced File Manager plugin, particularly those with administrator accounts that have not been secured with strong passwords or multi-factor authentication, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'fma_locale' /var/www/html/wp-content/plugins/advanced-file-manager/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/advanced-file-manager/?fma_locale=../../../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.49% (66% Perzentil)
CISA SSVC
CVSS-Vektor
The immediate mitigation for CVE-2024-8704 is to upgrade the Advanced File Manager plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or testing requirements, consider restricting file upload permissions to prevent attackers from uploading malicious PHP files. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can also provide a temporary layer of protection. Monitor WordPress access logs for suspicious activity, particularly requests containing unusual file paths in the 'fma_locale' parameter.
Actualice el plugin Advanced File Manager a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá la inclusión de archivos JavaScript locales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8704 is a Local File Inclusion vulnerability in the Advanced File Manager plugin for WordPress versions up to 5.2.8, allowing authenticated admins to execute arbitrary PHP code.
You are affected if you are using the Advanced File Manager plugin for WordPress in version 5.2.8 or earlier and have administrator-level access.
Upgrade the Advanced File Manager plugin to a patched version. If upgrading is not immediately possible, restrict file upload permissions and consider a WAF.
While there are no confirmed active campaigns, the availability of a public proof-of-concept increases the risk of exploitation.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.