CVE-2024-11391

Name of the Vulnerable Software and Affected Versions Advanced File Manager plugin for WordPress versions up to and including 5.2.10

Description The issue arises from missing file type validation via the 'class fma connector.php' file, allowing authenticated attackers with Subscriber-level access or higher, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server. This could potentially make remote code execution possible. The vulnerable parameter is the file type, which is not properly validated, making it possible to upload malicious files.

Recommendations For versions up to and including 5.2.10, update to a version higher than 5.2.10 to resolve the issue. As a temporary workaround, consider restricting access to the 'class fma connector.php' file until a patch is available. Restrict permissions for uploading files to only necessary users to minimize the risk of exploitation.