CVE-2024-8126

Name of the Vulnerable Software and Affected Versions: Advanced File Manager plugin for WordPress versions up to, and including, 5.2.8

Description: The issue allows authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server, which may make remote code execution possible. This is achieved via the class fma connector.php file. The vulnerability can be exploited by uploading a new .htaccess file, enabling subsequent arbitrary file uploads.

Recommendations: For versions up to, and including, 5.2.8, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the class fma connector.php file until a patch is available. Additionally, review and restrict permissions granted to users with Subscriber-level access and above to minimize the risk of exploitation.