CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2024-11391 – Advanced File Manager <= 5.2.10 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-11391
02 Dec 2024 — The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3199242 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8704 – Advanced File Manager <= 5.2.8 - Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale
https://notcve.org/view.php?id=CVE-2024-8704
25 Sep 2024 — The Advanced File Manager plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 5.2.8 via the 'fma_locale' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file... • https://www.wordfence.com/threat-intel/vulnerabilities/id/5b783cc6-d79d-43ef-948a-a1953d383ca3?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8725 – Advanced File Manager <= 5.2.8 - Authenticated (Subscriber+) Limited File Upload
https://notcve.org/view.php?id=CVE-2024-8725
25 Sep 2024 — Multiple plugins and/or themes for WordPress are vulnerable to Limited File Upload in various versions. This is due to a lack of proper checks to ensure lower-privileged roles cannot upload .css and .js files to arbitrary directories. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files to any directory within the WordPress root directory, which could lead to Stored Cross-Site Scripting. The Adva... • https://www.wordfence.com/threat-intel/vulnerabilities/id/ce2b4f93-93a6-480f-a877-ca47bd133bb6?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 4%CPEs: 1EXPL: 0CVE-2024-8126 – Advanced File Manager <= 5.2.8 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8126
25 Sep 2024 — The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/801d6cde-f9c6-4e68-8bfc-ff8c0593372d?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-5598 – Advanced File Manager <= 5.2.4 - Sensitive Information Exposure via Directory Listing
https://notcve.org/view.php?id=CVE-2024-5598
28 Jun 2024 — The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder. El complemento Advanced File Manager para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 5.... • https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/class_fma_connector.php#L13 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3814 – Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access
https://notcve.org/view.php?id=CVE-2023-3814
14 Aug 2023 — The Advanced File Manager WordPress plugin before 5.1.1 does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary files and folders on the server. El complemento de WordPress Advanced File Manager anterior a 5.1.1 no autoriza adecuadamente su uso en instalaciones multisitio, lo que permite a los usuarios administradores del sitio enumerar y leer archivos y carpetas arbitrarios en el servidor. The Advanced File Managerplugin for WordPress is vuln... • https://wpscan.com/vulnerability/ca954ec6-6ebd-4d72-a323-570474e2e339 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •