CVE-2024-8126
📋 TL;DR
The Advanced File Manager WordPress plugin allows authenticated attackers with Subscriber-level access to upload arbitrary files, including .htaccess files, which can lead to remote code execution. This affects all versions up to 5.2.8. Attackers must have permissions granted by an Administrator, but once granted, they can compromise the server.
💻 Affected Systems
- Advanced File Manager WordPress plugin
📦 What is this software?
Advanced File Manager by Advancedfilemanager
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, defacement, malware distribution, or ransomware deployment.
Likely Case
Unauthorized file uploads leading to backdoor installation, privilege escalation, or site defacement.
If Mitigated
Limited impact if proper file upload restrictions and user permission controls are enforced.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once permissions are granted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3157713/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Advanced File Manager' and update to version 5.2.9 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable file upload endpoint
allBlock access to the vulnerable class_fma_connector.php file via web server configuration.
# For Apache: Add to .htaccess
<Files "class_fma_connector.php">
Order Allow,Deny
Deny from all
</Files>
# For Nginx: Add to server block
location ~* /class_fma_connector\.php$ {
deny all;
}
Restrict user permissions
allRemove file manager permissions from all Subscriber-level users and audit Administrator-granted permissions.
# No commands - perform via WordPress admin interface
🧯 If You Can't Patch
- Immediately disable the Advanced File Manager plugin via WordPress admin interface.
- Implement strict file upload restrictions at web server level and monitor for suspicious upload attempts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Advanced File Manager. If version is 5.2.8 or lower, you are vulnerable.Check Version:
# Check via WordPress CLI if available
wp plugin get file-manager-advanced --field=versionVerify Fix Applied:
After updating, confirm plugin version shows 5.2.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/file-manager-advanced/application/class_fma_connector.php
- File uploads to unexpected directories, especially .htaccess files
- Unauthorized file modification events in web server logs
Network Indicators:
- Unusual outbound connections from web server following file uploads
- HTTP requests with file upload patterns to the vulnerable endpoint
SIEM Query:
source="web_server_logs" AND (uri="/wp-content/plugins/file-manager-advanced/application/class_fma_connector.php" OR filename="*.htaccess")