CVE-2024-13914 is a high-severity vulnerability affecting the WordPress plugin 'File Manager Advanced Shortcode' developed by WP Experts. The flaw is categorized as CWE-22, which refers to improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. This vulnerability exists in all versions up to and including 2.5.4 of the 'file-manager-advanced-shortcode' and 2.5.6 of 'advanced-file-manager-pro-premium'. The issue arises through the 'file_manager_advanced' shortcode, which allows authenticated users with Administrator-level privileges or higher to perform Local File Inclusion (LFI). Exploiting this vulnerability enables attackers to include and execute arbitrary JavaScript files on the server. This can lead to bypassing access controls, unauthorized access to sensitive data, and potentially full code execution if attackers upload and include files disguised as safe types such as images. The vulnerability does not require user interaction beyond authentication, but it does require high privileges (admin or above). The CVSS v3.1 base score is 7.2, reflecting high severity with network attack vector, low attack complexity, high privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the risk is significant given the potential for code execution and data compromise. The recommended remediation is to update affected installations to version 2.6.0 of the plugin, where the vulnerability has been fixed.

For European organizations, this vulnerability poses a serious risk, especially for those relying on WordPress websites with the affected plugin installed. Compromise could lead to unauthorized access to sensitive customer data, intellectual property, or internal systems, potentially violating GDPR and other data protection regulations. The ability to execute arbitrary JavaScript on the server could facilitate further attacks such as web shell deployment, lateral movement, or persistent backdoors. This could disrupt business operations, damage reputation, and incur regulatory penalties. Organizations in sectors with high web presence such as e-commerce, media, and government are particularly vulnerable. Since exploitation requires administrator-level access, the threat is heightened if internal accounts are compromised or if attackers gain admin credentials through phishing or other means. The vulnerability's network accessibility means that once admin credentials are obtained, exploitation can be performed remotely without user interaction, increasing the attack surface.

1. Immediate update of the 'File Manager Advanced Shortcode' plugin to version 2.6.0 or later, which contains the patch for this vulnerability. 2. Restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 3. Conduct regular audits of WordPress plugins and remove or replace any unnecessary or outdated plugins to minimize attack surface. 4. Implement web application firewalls (WAF) with rules to detect and block path traversal attempts and suspicious shortcode usage. 5. Monitor server and application logs for unusual file inclusion activities or unexpected JavaScript execution. 6. Employ file integrity monitoring to detect unauthorized changes to plugin files or uploads. 7. Educate administrators on phishing and credential security to prevent privilege escalation. 8. Consider isolating WordPress instances and limiting file upload capabilities to reduce the impact of potential exploitation.