CVE-2024-13914 is a path traversal vulnerability (CWE-22) found in the WP Experts File Manager Advanced Shortcode plugin for WordPress, affecting all versions up to 2.5.4 (file-manager-advanced-shortcode) and 2.5.6 (advanced-file-manager-pro-premium). The flaw exists in the handling of the 'file_manager_advanced' shortcode, which does not properly restrict pathname inputs to a safe directory. This allows an authenticated attacker with administrator-level privileges to perform Local File Inclusion (LFI) attacks by manipulating the shortcode parameters to include arbitrary JavaScript files from the server. Such inclusion can lead to execution of malicious scripts, bypassing normal access controls, exposing sensitive information, or enabling further code execution on the server. The vulnerability is particularly dangerous because it leverages the plugin's file upload and inclusion features, which may allow attackers to upload seemingly safe file types (e.g., images) and then execute them as scripts. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed in May 2025, with no known exploits in the wild at the time of publication. The recommended remediation is to upgrade affected installations to version 2.6.0 of the plugin, which addresses the path traversal issue.

This vulnerability poses a significant risk to organizations running WordPress sites with the vulnerable File Manager Advanced Shortcode plugin. Successful exploitation can lead to arbitrary code execution on the web server, potentially allowing attackers to fully compromise the affected website, steal sensitive data such as user credentials or proprietary information, and bypass security controls. Because the attack requires administrator-level access, the threat is primarily from insiders or attackers who have already compromised lower-level accounts and escalated privileges. However, given the widespread use of WordPress and the popularity of file management plugins, the vulnerability could be leveraged in targeted attacks against high-value websites, including e-commerce platforms, corporate portals, and content management systems. The ability to execute arbitrary JavaScript also raises the risk of persistent cross-site scripting (XSS) attacks affecting site visitors. The overall impact includes loss of data confidentiality, integrity, and availability, damage to organizational reputation, and potential regulatory compliance violations.

Organizations should immediately update the File Manager Advanced Shortcode plugin to version 2.6.0 or later, which contains the fix for this path traversal vulnerability. Beyond patching, administrators should audit user privileges to ensure that only trusted personnel have administrator-level access, minimizing the risk of insider exploitation. Implement strict input validation and sanitization on all shortcode parameters if custom modifications exist. Employ Web Application Firewalls (WAFs) with rules designed to detect and block path traversal attempts and suspicious file inclusion patterns. Regularly monitor server logs for unusual file access or inclusion activities. Additionally, restrict file upload types and enforce content-type validation to prevent uploading executable scripts disguised as safe file types. Conduct periodic security assessments and penetration testing focused on plugin vulnerabilities. Finally, maintain a robust backup and incident response plan to quickly recover from potential compromises.