exploitDog

CVE-2024-11391

Опубликовано: 03 дек. 2024

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Ссылки

https://plugins.trac.wordpress.org/changeset/3199242/
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/f14a658c-1517-4af4-8bd7-c379ac07ab35?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:advancedfilemanager:advanced_file_manager:*:*:*:*:*:wordpress:*:*

Версия до 5.2.11 (исключая)

EPSS

Процентиль: 92%

0.08169

Низкий

7.5 High

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-jccv-2p4j-xrg6

CVSS3: 7.5

github

около 1 года назад

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.

EPSS

Процентиль: 92%

0.08169

Низкий

7.5 High

CVSS3

Дефекты

CWE-434