PT-2025-21264 · WordPress · Advanced-File-Manager-Pro-Premium+1
Published
2025-05-15
·
Updated
2025-07-01
·
CVE-2024-13914
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
File Manager Advanced Shortcode WordPress plugin versions up to, and including, 2.5.4
advanced-file-manager-pro-premium versions up to, and including, 2.5.6
Description:
The issue allows authenticated attackers with Administrator-level access and above to include and execute arbitrary JavaScript files on the server via the 'file manager advanced' shortcode. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Recommendations:
For versions up to, and including, 2.5.4 of the File Manager Advanced Shortcode WordPress plugin, update to version 2.6.0 of the advanced-file-manager-pro-premium.
As a temporary workaround, consider restricting access to the
file manager advanced shortcode until a patch is available.Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Advanced File Manager Shortcodes
Advanced-File-Manager-Pro-Premium