CVE-2024-11391 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the Advanced File Manager plugin for WordPress developed by modalweb. The flaw arises from insufficient validation of uploaded file types in the 'class_fma_connector.php' component, allowing authenticated users with Subscriber-level access or higher—provided they have permissions granted by an Administrator—to upload arbitrary files to the web server. This unrestricted file upload can be exploited to place malicious scripts or executables on the server, potentially enabling remote code execution (RCE). The vulnerability affects all plugin versions up to 5.2.10. The attack vector is network-based, requiring authentication but no user interaction beyond login. The CVSS v3.1 score of 7.5 indicates a high-severity issue with significant impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the nature of the vulnerability makes it a critical risk for WordPress sites using this plugin, especially those with multiple users having elevated permissions. The vulnerability's root cause is the lack of proper file type validation and sanitization during the upload process, which is a common security oversight in web applications handling file uploads.

The impact of CVE-2024-11391 is substantial for organizations running WordPress sites with the Advanced File Manager plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the server, potentially leading to full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is at risk due to unauthorized access to sensitive files or data. Integrity can be compromised by altering website content or injecting malicious code. Availability may be affected if attackers disrupt services or deploy ransomware. Since exploitation requires only low-level authenticated access with permissions granted by an Administrator, insider threats or compromised accounts pose a significant risk. The vulnerability can be leveraged in targeted attacks against organizations with multiple WordPress users or weak access controls, increasing the attack surface. The absence of known exploits in the wild currently limits immediate widespread impact but does not reduce the urgency for remediation.

To mitigate CVE-2024-11391, organizations should immediately audit user roles and permissions within WordPress, ensuring that Subscriber-level users do not have unnecessary upload permissions granted by Administrators. Restrict file upload capabilities strictly to trusted users and roles. Monitor and log file upload activities for suspicious behavior. Until an official patch is released, consider disabling or removing the Advanced File Manager plugin if it is not essential. If the plugin is critical, implement web application firewall (WAF) rules to block suspicious file upload attempts and restrict execution permissions on upload directories to prevent execution of uploaded files. Employ file integrity monitoring to detect unauthorized changes. Regularly update WordPress core and plugins to the latest versions once a patch addressing this vulnerability is available. Additionally, educate administrators on the risks of granting upload permissions and enforce the principle of least privilege. Conduct penetration testing focusing on file upload functionality to verify the effectiveness of mitigations.