CVE-2024-9669

Name of the Vulnerable Software and Affected Versions File Manager Pro – Filester plugin for WordPress versions up to, and including, 1.8.5

Description The File Manager Pro – Filester plugin for WordPress is vulnerable to Local JavaScript File Inclusion via the fm locale parameter. This allows authenticated attackers with Administrator-level access and above to include and execute arbitrary files on the server, enabling the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Recommendations For versions up to, and including, 1.8.5, consider disabling the fm locale parameter until a full patch is available. As a temporary workaround, restrict access to the plugin's functionality to minimize the risk of exploitation. Update to a version later than 1.8.5 once a fully patched version is released, as version 1.8.5 only partially addresses the issue.