Platform
wordpress
Component
file-manager-advanced-shortcode
Fixed in
2.6.0
2.6.0
CVE-2024-13914 describes a Local File Inclusion (LFI) vulnerability discovered in the File Manager Advanced Shortcode plugin for WordPress. This vulnerability allows authenticated administrators to include and execute arbitrary JavaScript files on the server, leading to potential data theft and code execution. The vulnerability impacts versions up to and including 2.5.6, and a fix is available in version 2.6.0.
The primary impact of CVE-2024-13914 is the ability for an authenticated administrator to execute arbitrary JavaScript code on the server. This can be achieved by manipulating the 'filemanageradvanced' shortcode to include malicious JavaScript files. An attacker could leverage this to bypass access controls, potentially gaining unauthorized access to sensitive data stored within the WordPress environment. Furthermore, the ability to execute JavaScript opens the door to more severe attacks, such as session hijacking, cross-site scripting (XSS), and even remote code execution if the attacker can upload and include a file containing malicious code. The risk is amplified if the WordPress site handles sensitive user data or financial transactions.
CVE-2024-13914 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available as of the publication date, but the vulnerability's nature makes it likely that PoCs will emerge. The EPSS score is likely to be medium, given the requirement for administrator authentication and the potential for significant impact. The vulnerability was publicly disclosed on 2025-05-15.
Exploit Status
EPSS
0.71% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13914 is to upgrade the File Manager Advanced Shortcode plugin to version 2.6.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible due to compatibility issues or breaking changes, consider temporarily restricting administrator access to the file manager functionality. Additionally, implement strict file upload validation to prevent the upload of potentially malicious JavaScript files. Web Application Firewalls (WAFs) configured to detect and block suspicious file inclusion attempts can provide an additional layer of defense. Monitor WordPress logs for unusual file access patterns or JavaScript execution attempts.
Actualice el plugin File Manager Advanced Shortcode a la versión 2.6.0 o superior. Esta actualización corrige la vulnerabilidad de inclusión de archivos locales que permite la ejecución de código JavaScript arbitrario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13914 is a Local File Inclusion vulnerability in the File Manager Advanced Shortcode WordPress plugin, allowing authenticated admins to execute JavaScript. It has a CVSS score of 7.2 (HIGH).
You are affected if you are using File Manager Advanced Shortcode version 2.5.6 or earlier. Upgrade to 2.6.0 to resolve the vulnerability.
Upgrade the File Manager Advanced Shortcode plugin to version 2.6.0 or later. If immediate upgrade is not possible, restrict administrator access to file management features.
While no active exploitation has been publicly confirmed, the vulnerability's nature makes it a likely target for attackers. Monitoring and mitigation are crucial.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.