CVE-2024-8746 – The File Manager Pro WordPress plugin allows un... (How to Fix)

Q: What is the severity of CVE-2024-8746?

CVE-2024-8746 has a CVSS score of 7.5 (HIGH). The File Manager Pro WordPress plugin allows unauthenticated attackers to download and upload arbitrary backup files through an AJAX endpoint without proper file type validation. This vulnerability affects all WordPress sites using File Manager Pro versions up to 8.3.9. Attackers who gain access to the file manager interface can potentially achieve remote code execution.

📋 TL;DR

The File Manager Pro WordPress plugin allows unauthenticated attackers to download and upload arbitrary backup files through an AJAX endpoint without proper file type validation. This vulnerability affects all WordPress sites using File Manager Pro versions up to 8.3.9. Attackers who gain access to the file manager interface can potentially achieve remote code execution.

💻 Affected Systems

Products:

File Manager Pro WordPress Plugin

Versions: All versions up to and including 8.3.9

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when the file manager shortcode is used and accessible. Requires attacker to have access to the file manager interface, which administrators often grant to users.

📦 What is this software?

File Manager by Filemanagerpro

View all CVEs affecting File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, malware deployment, and website defacement.

🟠

Likely Case

Unauthorized file upload/download leading to information disclosure, backdoor installation, or privilege escalation.

🟢

If Mitigated

Limited impact if file manager access is restricted and proper file permissions are in place.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires only file manager access which administrators often grant.

🏢 Internal Only: MEDIUM - Internal attackers with file manager access could exploit this, but requires initial access to the file manager interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward once an attacker gains access to the file manager interface. The vulnerability is in a publicly accessible AJAX endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4.0 or later

Vendor Advisory: https://filemanagerpro.io/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find File Manager Pro. 4. Click 'Update Now' if available. 5. If not available, download version 8.4.0+ from vendor site and manually update.

🔧 Temporary Workarounds

Disable File Manager Access

all

Remove or restrict access to the file manager interface for all non-administrative users.

Remove Plugin

all

Temporarily disable or remove the File Manager Pro plugin until patched.

🧯 If You Can't Patch

Implement strict file upload validation at web application firewall level
Restrict access to /wp-admin/admin-ajax.php endpoint for unauthenticated users

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → File Manager Pro version. If version is 8.3.9 or lower, you are vulnerable.

Check Version:

wp plugin list --name='File Manager Pro' --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify File Manager Pro version is 8.4.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads/downloads via admin-ajax.php
POST requests to admin-ajax.php with action=mk_file_folder_manager_shortcode
Unexpected .zip, .tar, or backup file operations

Network Indicators:

Unusual traffic to /wp-admin/admin-ajax.php with file upload/download parameters
Large file transfers to/from WordPress admin endpoints

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (action="mk_file_folder_manager_shortcode" OR parameters LIKE "%backup%")

📊 Metadata

CVE ID: CVE-2024-8746

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: October 16, 2024

Last Updated: October 17, 2024

🔗 References

https://filemanagerpro.io/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/88f1eb9a-f3bb-4b62-975f-a6cb95850966?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8746, you might also want to check these: