Platform
wordpress
Component
file-manager-advanced
Fixed in
5.2.9
CVE-2024-8704 describes a Local File Inclusion (LFI) vulnerability affecting the Advanced File Manager plugin for WordPress. This vulnerability allows authenticated attackers with administrator-level access to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions up to and including 5.2.8. A patch is available, requiring users to upgrade to a secure version.
The impact of CVE-2024-8704 is significant due to the potential for code execution. An attacker who has administrator access can leverage this vulnerability to include and execute arbitrary PHP files, effectively gaining control over the server. This could involve uploading malicious images or other file types that can be included, then executing arbitrary code within those files. The attacker could then steal sensitive data, modify website content, install malware, or even compromise the entire WordPress installation. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to bypass access controls and execute malicious code.
CVE-2024-8704 was publicly disclosed on September 26, 2024. The vulnerability is considered relatively easy to exploit given the requirement of only administrator access. Currently, there are no known active campaigns targeting this specific vulnerability, but the availability of a public proof-of-concept increases the likelihood of exploitation. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
0.49% (66% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-8704 is to upgrade the Advanced File Manager plugin to a version that addresses the vulnerability. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting file upload permissions to prevent attackers from uploading files that can be included. Review server configurations to ensure proper file access controls are in place. Implement a Web Application Firewall (WAF) with rules to block suspicious file inclusion attempts targeting the 'fmalocale' parameter. After upgrading, verify the fix by attempting to access a non-existent file through the 'fmalocale' parameter and confirming that it results in an error, rather than file inclusion.
Actualice el plugin Advanced File Manager a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá la inclusión de archivos JavaScript locales.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8704 is a Local File Inclusion vulnerability in the Advanced File Manager plugin for WordPress versions up to 5.2.8, allowing authenticated admins to execute arbitrary PHP code.
You are affected if you are using the Advanced File Manager plugin for WordPress in version 5.2.8 or earlier and have administrator-level access.
Upgrade the Advanced File Manager plugin to a patched version. If upgrading is not immediately possible, restrict file upload permissions and consider a WAF.
While there are no confirmed active campaigns, the availability of a public proof-of-concept increases the risk of exploitation.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.