CVE-2024-8746

Name of the Vulnerable Software and Affected Versions: File Manager Pro plugin for WordPress versions up to, and including, 8.3.9

Description: The issue allows unauthenticated attackers, if granted access to the File Manager by an administrator, to download and upload arbitrary backup files on the affected site's server, which may make remote code execution possible. This is due to missing file type validation via the mk file folder manager shortcode ajax action.

Recommendations: For versions up to, and including, 8.3.9, update to a version higher than 8.3.9 to resolve the issue. As a temporary workaround, consider restricting access to the mk file folder manager shortcode ajax action until a patch is available. Additionally, restrict the File Manager access to only necessary personnel to minimize the risk of exploitation.