CVE-2024-13805
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to upload malicious SVG files containing stored cross-site scripting (XSS) payloads. When other users view these SVG files, arbitrary JavaScript executes in their browsers. All WordPress sites using the Advanced File Manager plugin up to version 5.2.14 are affected.
💻 Affected Systems
- Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin
📦 What is this software?
Advanced File Manager by Advancedfilemanager
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites, potentially leading to full site compromise.
Likely Case
Attackers with subscriber accounts upload malicious SVG files that execute scripts when viewed by administrators or other users, enabling session hijacking or limited site manipulation.
If Mitigated
With proper user role management and file upload restrictions, impact is limited to low-privilege users viewing malicious files, preventing escalation to administrative actions.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has a low-privilege account with upload permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.15
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3249482/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Advanced File Manager' and click 'Update Now'. 4. Verify version is 5.2.15 or higher.
🔧 Temporary Workarounds
Disable SVG uploads
allAdd code to WordPress theme's functions.php to block SVG file uploads through the plugin
add_filter('upload_mimes', function($mimes) { unset($mimes['svg']); return $mimes; });
Restrict user upload permissions
allRemove file upload capabilities from Subscriber and other low-privilege roles
// Use WordPress role management plugins or custom code to modify capabilities
🧯 If You Can't Patch
- Temporarily disable the Advanced File Manager plugin until patching is possible
- Implement web application firewall (WAF) rules to block SVG uploads containing script tags
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Advanced File Manager version. If version is 5.2.14 or lower, you are vulnerable.Check Version:
wp plugin list --name='Advanced File Manager' --field=versionVerify Fix Applied:
After updating, confirm plugin version shows 5.2.15 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads from low-privilege users
- Multiple failed upload attempts with suspicious filenames
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with SVG file uploads
- Unusual file upload patterns to plugin endpoints
SIEM Query:
source="wordpress.log" AND ("svg" AND "upload") AND user_role="subscriber"