CVE-2024-8704

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Sep 26, 2024 / Updated: 54d ago

010
CVSS 7.2EPSS 0.06%High
CVE info copied to clipboard

Summary

The Advanced File Manager plugin for WordPress is vulnerable to Local JavaScript File Inclusion in versions up to and including 5.2.8. This vulnerability allows authenticated attackers with Administrator-level access or higher to include and execute arbitrary files on the server. Attackers can exploit this vulnerability through the 'fma_locale' parameter, enabling them to execute any PHP code contained in the included files.

Impact

The impact of this vulnerability is severe. Attackers who successfully exploit this vulnerability can: 1. Bypass access controls: This could lead to unauthorized access to restricted areas of the WordPress site. 2. Obtain sensitive data: Attackers may be able to access and exfiltrate confidential information stored on the server. 3. Achieve code execution: In cases where "safe" file types like images can be uploaded and included, attackers could potentially execute malicious code on the server. 4. Compromise system integrity: The ability to execute arbitrary PHP code could lead to full server compromise, allowing attackers to modify or delete data, install backdoors, or use the server for further attacks.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available for this vulnerability. The issue has been addressed in version 5.2.9 of the Advanced File Manager plugin for WordPress. Users should update to this version or later to mitigate the vulnerability.

Mitigation

To mitigate this vulnerability, the following steps are recommended: 1. Update the Advanced File Manager plugin to version 5.2.9 or later immediately. 2. If immediate updating is not possible, consider temporarily disabling the Advanced File Manager plugin until the update can be applied. 3. Implement the principle of least privilege by ensuring that administrator access is strictly limited to trusted users only. 4. Regularly audit user accounts with elevated privileges to ensure they are necessary and have not been compromised. 5. Implement strong password policies and multi-factor authentication for administrator accounts. 6. Monitor server logs for any suspicious activities related to file inclusions or unexpected PHP code executions. 7. Consider implementing a Web Application Firewall (WAF) to help detect and block potential exploitation attempts. 8. Regularly backup your WordPress installation and database to ensure quick recovery in case of a successful attack.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8704. See article

Sep 26, 2024 at 11:05 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 26, 2024 at 11:05 AM
CVE Assignment

NVD published the first details for CVE-2024-8704

Sep 26, 2024 at 11:15 AM
CVSS

A CVSS base score of 7.2 has been assigned.

Sep 26, 2024 at 11:20 AM / nvd
EPSS

EPSS Score was set to: 0.06% (Percentile: 23.6%)

Sep 27, 2024 at 10:25 AM
Static CVE Timeline Graph

Affected Systems

Advancedfilemanager/advanced_file_manager
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

News

Web Application Detections Published in October 2024
In October, Qualys released QIDs targeting vulnerabilities in several widely used software products, including WordPress, Zohocorp ManageEngine Endpoint, Lobe Chat, Ivanti Virtual Traffic Manager (vTM), Traefik, Nginx Proxy Manager, Harbor, Haproxy, SolarWinds Access Rights Manager (ARM), Cacti, Ivanti Endpoint Manager Mobile (EPMM), JetBrains TeamCity, Palo Alto Networks Expedition, Progress Telerik Report Server, Zimbra, Oracle WebLogic Server, Apache Solr, FlatPress CMS, pgAdmin, Grafana, pfSense, SolarWinds Web Help Desk, Ivanti Avalanche, ReCrystallize Server, Joomla!, and PHP. The QIDs released to detect the vulnerabilities in the frameworks above are listed below. Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. QID Title 152202 Zohocorp ManageEngine Endpoint Central Incorrect Authorization Vulnerability (CVE-2024-38868) 152206 WordPress Delicious Recipe Plugin: Arbitrary File Movement and Reading Vulnerability (CVE-2024-7626) 152207 WordPress Simple Spoiler Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-8479) 152209 WordPress PropertyHive Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8490) 152210 WordPress Share This Image Plugin: Open Redirect Vulnerability (CVE-2024-8761) 152215 WordPress infolinks Ad Wrap Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8044) 152216 WordPress Bit File Manager Plugin:
Update Thu Oct 10 22:28:19 UTC 2024
Update Thu Oct 10 22:28:19 UTC 2024
CVE-2024-8704
This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. Gravedad 3.1 (CVSS 3.1 Base Score)
High - CVE-2024-8704 - The Advanced File Manager plugin for WordPress...
The Advanced File Manager plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 5.2.8 via the 'fma_locale' parameter. This makes it...
CVE-2024-8704
High Severity Description The Advanced File Manager plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 5.2.8 via the 'fma_locale' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Read more at https://www.tenable.com/cve/CVE-2024-8704
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI