CVE-2024-13333 – The Advanced File Manager WordPress plugin vers... (How to Fix)

Q: What is the severity of CVE-2024-13333?

CVE-2024-13333 has a CVSS score of 7.5 (HIGH). The Advanced File Manager WordPress plugin versions 5.2.12 to 5.2.13 allow authenticated attackers with Subscriber-level access and upload permissions to upload arbitrary files due to missing file type validation. This can lead to remote code execution if the 'Display .htaccess?' setting is enabled. WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

The Advanced File Manager WordPress plugin versions 5.2.12 to 5.2.13 allow authenticated attackers with Subscriber-level access and upload permissions to upload arbitrary files due to missing file type validation. This can lead to remote code execution if the 'Display .htaccess?' setting is enabled. WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Advanced File Manager WordPress Plugin

Versions: 5.2.12 to 5.2.13

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires 'Display .htaccess?' setting enabled and authenticated user with upload permissions.

📦 What is this software?

Advanced File Manager by Advancedfilemanager

View all CVEs affecting Advanced File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, malware deployment, or site defacement.

🟠

Likely Case

Unauthorized file uploads leading to backdoor installation, privilege escalation, or data exfiltration.

🟢

If Mitigated

Limited impact if proper file permissions and security controls prevent execution of uploaded malicious files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and specific configuration setting enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.14 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3222740/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Advanced File Manager'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.2.14+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable setting

all

Disable the 'Display .htaccess?' setting in Advanced File Manager configuration

Restrict user upload permissions

all

Remove file upload permissions from Subscriber and other low-privilege roles

🧯 If You Can't Patch

Disable the Advanced File Manager plugin entirely
Implement web application firewall rules to block file uploads to vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Advanced File Manager > Version. If version is 5.2.12 or 5.2.13, system is vulnerable.

Check Version:

wp plugin list --name='Advanced File Manager' --field=version

Verify Fix Applied:

Confirm plugin version is 5.2.14 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads via /wp-content/plugins/file-manager-advanced/
POST requests to fma_local_file_system endpoint with suspicious file extensions

Network Indicators:

HTTP POST requests to file-manager-advanced endpoints with executable file uploads

SIEM Query:

source="web_server" AND uri_path="/wp-content/plugins/file-manager-advanced/" AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")

📊 Metadata

CVE ID: CVE-2024-13333

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 2.41% exploit probability (84.8th percentile)

Published: January 17, 2025

Last Updated: June 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13333, you might also want to check these: