The Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin, specifically versions 5.2.12 and 5.2.13, contains a critical vulnerability identified as CVE-2024-13333. This vulnerability arises from the 'fma_local_file_system' function, which lacks proper validation of uploaded file types, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). Authenticated users with at least Subscriber-level access and upload permissions granted by an administrator can exploit this flaw to upload arbitrary files to the server hosting the WordPress site. The attack vector requires the plugin's "Display .htaccess?" setting to be enabled, which may expose server configuration files and facilitate exploitation. The absence of file type validation means malicious files, including web shells or scripts, can be uploaded and executed remotely, potentially leading to remote code execution (RCE). This compromises the confidentiality, integrity, and availability of the affected system. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting high severity due to network attack vector, low privileges required, no user interaction, and high impact on all security properties. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple users and enabled upload permissions. The lack of patch links suggests a patch may not yet be available, emphasizing the need for immediate mitigation steps.

The impact of CVE-2024-13333 is substantial for organizations running WordPress sites with the affected Advanced File Manager plugin versions. Exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the server, potentially leading to full system compromise. This can result in data breaches, defacement, service disruption, or use of the compromised server as a pivot point for further attacks. The vulnerability affects confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by enabling denial-of-service conditions. Organizations with multiple users and delegated upload permissions are at higher risk, as attackers only need Subscriber-level access with upload rights. The requirement for the "Display .htaccess?" setting to be enabled limits the scope somewhat but still leaves many sites vulnerable if this setting is active. Given WordPress's widespread use globally, the potential attack surface is large, and the impact on business operations, reputation, and compliance can be severe.

1. Immediately review and restrict upload permissions within the Advanced File Manager plugin, limiting them to trusted users only. 2. Disable the "Display .htaccess?" setting in the plugin configuration to prevent exploitation of this vulnerability. 3. Monitor user roles and permissions carefully, ensuring that Subscriber-level users do not have unnecessary upload rights. 4. Implement web application firewall (WAF) rules to detect and block suspicious file uploads or execution attempts targeting this plugin. 5. Regularly audit uploaded files for unauthorized or suspicious content, especially scripts or executable files. 6. If possible, temporarily disable or uninstall the Advanced File Manager plugin until a security patch is released. 7. Keep WordPress core, themes, and plugins updated and subscribe to vendor advisories for timely patch deployment. 8. Employ server-level restrictions such as disabling execution permissions in upload directories to reduce the risk of remote code execution. 9. Conduct penetration testing and vulnerability scanning focused on file upload functionalities to detect similar weaknesses. 10. Educate administrators and users about the risks of granting upload permissions and the importance of secure configuration.