CVE-2024-8704: LFI in Advanced File Manager WordPress Plugin
Platform
wordpress
Component
file-manager-advanced
Fixed in
5.2.9
CVE-2024-8704 describes a Local File Inclusion (LFI) vulnerability affecting the Advanced File Manager plugin for WordPress. This vulnerability allows authenticated attackers with administrator-level access to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions up to and including 5.2.8. A patch is available, requiring users to upgrade to a secure version.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The impact of CVE-2024-8704 is significant due to the potential for code execution. An attacker who has administrator access can leverage this vulnerability to include and execute arbitrary PHP files, effectively gaining control over the server. This could involve uploading malicious images or other file types that can be included, then executing arbitrary code within those files. The attacker could then steal sensitive data, modify website content, install malware, or even compromise the entire WordPress installation. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to bypass access controls and execute malicious code.
Exploitation Context
CVE-2024-8704 was publicly disclosed on September 26, 2024. The vulnerability is considered relatively easy to exploit given the requirement of only administrator access. Currently, there are no known active campaigns targeting this specific vulnerability, but the availability of a public proof-of-concept increases the likelihood of exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Threat Intelligence
Exploit Status
EPSS
0.49% (66% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Package Information
- Active installs
- 100KNiche
- Plugin rating
- 4.8
- Requires WordPress
- 4.0+
- Compatible up to
- 6.9.4
- Requires PHP
- 7.0+
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2024-8704 is to upgrade the Advanced File Manager plugin to a version that addresses the vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting file upload permissions to prevent attackers from uploading files that can be included. Review server configurations to ensure proper file access controls are in place. Implement a Web Application Firewall (WAF) with rules to block suspicious file inclusion attempts targeting the 'fmalocale' parameter. After upgrading, verify the fix by attempting to access a non-existent file through the 'fmalocale' parameter and confirming that it results in an error, rather than file inclusion.
How to fix
Actualice el plugin Advanced File Manager a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá la inclusión de archivos JavaScript locales.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2024-8704 — LFI in Advanced File Manager WordPress Plugin?
CVE-2024-8704 is a Local File Inclusion vulnerability in the Advanced File Manager plugin for WordPress versions up to 5.2.8, allowing authenticated admins to execute arbitrary PHP code.
Am I affected by CVE-2024-8704 in Advanced File Manager WordPress Plugin?
You are affected if you are using the Advanced File Manager plugin for WordPress in version 5.2.8 or earlier and have administrator-level access.
How do I fix CVE-2024-8704 in Advanced File Manager WordPress Plugin?
Upgrade the Advanced File Manager plugin to a patched version. If upgrading is not immediately possible, restrict file upload permissions and consider a WAF.
Is CVE-2024-8704 being actively exploited?
While there are no confirmed active campaigns, the availability of a public proof-of-concept increases the risk of exploitation.
Where can I find the official Advanced File Manager advisory for CVE-2024-8704?
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.