CVE-2024-8725
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to upload .css and .js files to arbitrary directories within the WordPress root. Attackers can exploit this to achieve Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects WordPress sites using vulnerable plugins/themes, particularly when the Advanced File Manager Shortcodes plugin is installed.
💻 Affected Systems
- WordPress plugins/themes with vulnerable file upload functionality
📦 What is this software?
Advanced File Manager by Advancedfilemanager
⚠️ Risk & Real-World Impact
Worst Case
Attackers upload malicious JavaScript files that execute in visitors' browsers, leading to session hijacking, credential theft, defacement, or malware distribution.
Likely Case
Authenticated attackers upload malicious CSS/JS files to inject scripts that steal cookies or redirect users to malicious sites.
If Mitigated
With proper file upload restrictions and user role management, impact is limited to unauthorized file uploads without execution.
🎯 Exploit Status
Exploitation requires authenticated access (Subscriber role or higher) and the Advanced File Manager Shortcodes plugin. Attack path is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check individual plugin/theme updates
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3157713/
Restart Required: No
Instructions:
1. Update all WordPress plugins and themes to latest versions. 2. Specifically update Advanced File Manager Shortcodes plugin if installed. 3. Verify file upload restrictions are properly implemented.
🔧 Temporary Workarounds
Restrict File Uploads
allConfigure web server to block .css and .js file uploads via .htaccess or nginx rules
# Apache .htaccess example
<FilesMatch "\.(css|js)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Nginx example
location ~*\.(css|js)$ {
deny all;
}
Remove Vulnerable Plugin
linuxTemporarily disable or remove Advanced File Manager Shortcodes plugin
wp plugin deactivate file-manager-advanced-shortcodes
wp plugin delete file-manager-advanced-shortcodes
🧯 If You Can't Patch
- Restrict user roles: Remove file upload permissions from Subscriber and Contributor roles.
- Implement WAF rules to block suspicious file upload patterns.
🔍 How to Verify
Check if Vulnerable:
Check if Advanced File Manager Shortcodes plugin is installed and if any plugins/themes have unpatched file upload vulnerabilities.Check Version:
wp plugin list --field=name,versionVerify Fix Applied:
Test file upload functionality as low-privileged user - should be blocked for .css/.js files.📡 Detection & Monitoring
Log Indicators:
- File upload attempts for .css/.js files by non-admin users
- Unauthorized file modifications in wp-content/uploads
Network Indicators:
- POST requests to file upload endpoints with .css/.js extensions
SIEM Query:
source="web_server" AND (uri_path="*upload*" OR uri_path="*admin-ajax*") AND (file_extension=".css" OR file_extension=".js") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/class_fma_main.php#L24
- https://plugins.trac.wordpress.org/browser/file-manager-advanced/trunk/application/class_fma_shortcode.php#L28
- https://plugins.trac.wordpress.org/changeset/3157713/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ce2b4f93-93a6-480f-a877-ca47bd133bb6?source=cve
