CVE-2024-13333

Name of the Vulnerable Software and Affected Versions Advanced File Manager plugin for WordPress versions 5.2.12 through 5.2.13

Description The issue is related to arbitrary file uploads due to missing file type validation in the fma local file system function. This allows authenticated attackers with Subscriber-level access and above, and upload permissions granted by an administrator, to upload arbitrary files on the affected site's server, potentially making remote code execution possible. The function can only be exploited if the "Display .htaccess?" setting is enabled.

Recommendations For versions 5.2.12 through 5.2.13, consider disabling the fma local file system function until a patch is available. Restrict access to the Advanced File Manager plugin to minimize the risk of exploitation. Avoid using the "Display .htaccess?" setting in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.