CVE-2024-8725 is a security vulnerability identified in the modalweb Advanced File Manager plugin for WordPress, affecting all versions of the plugin. The root cause is a CWE-434 weakness, which is an unrestricted upload of files with dangerous types. Specifically, the plugin fails to properly restrict lower-privileged WordPress roles, such as Subscribers, from uploading potentially malicious .css and .js files to arbitrary directories within the WordPress root. This lack of validation and permission enforcement allows an authenticated attacker with minimal privileges, but granted upload permissions by an administrator, to place malicious scripts that can execute stored cross-site scripting (XSS) attacks. The exploitation requires the Advanced File Manager Shortcodes plugin to be installed, which is a dependency for the attack vector. The vulnerability can lead to significant confidentiality and integrity impacts by enabling attackers to execute arbitrary JavaScript in the context of the vulnerable site, potentially stealing user credentials, session tokens, or performing unauthorized actions on behalf of users. The CVSS 3.1 base score is 6.8, reflecting a medium severity with network attack vector, high attack complexity, low privileges required, no user interaction, and impact on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk to any WordPress site using this plugin, especially those with multiple users and roles. The lack of patch links suggests that a fix may not yet be available, increasing the urgency for mitigation through configuration and monitoring.

The vulnerability allows attackers with minimal authenticated access to upload malicious .css and .js files to arbitrary locations within the WordPress root directory. This can lead to stored XSS attacks, enabling attackers to execute arbitrary JavaScript code in the browsers of site visitors or administrators. Such attacks can compromise user credentials, session cookies, and site integrity, potentially leading to account takeover, data theft, or further compromise of the website. Since the attack requires only Subscriber-level access, it lowers the barrier for exploitation in multi-user WordPress environments. The integrity and confidentiality of the affected sites are at high risk, while availability is not directly impacted. Organizations relying on this plugin for file management face reputational damage, loss of user trust, and potential regulatory consequences if sensitive data is exposed. The absence of known exploits in the wild currently limits immediate widespread impact but does not preclude future exploitation.

Organizations should immediately audit their WordPress installations to identify the presence of the modalweb Advanced File Manager plugin and the Advanced File Manager Shortcodes plugin. If found, restrict upload permissions strictly to trusted roles and users, ideally disabling file uploads for Subscriber-level accounts. Implement web application firewalls (WAF) with rules to detect and block suspicious file uploads, especially .js and .css files in upload directories. Monitor file system changes within the WordPress root directory for unauthorized additions or modifications. If possible, remove or replace the vulnerable plugin with a more secure alternative. Keep WordPress core, themes, and plugins updated and subscribe to vendor advisories for patches. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS attacks. Conduct regular security audits and penetration tests focusing on file upload functionalities. Finally, educate administrators on the risks of granting upload permissions to low-privileged users.