CVE-2024-8725: CWE-434 Unrestricted Upload of File with Dangerous Type in saadiqbal Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution
Multiple plugins and/or themes for WordPress are vulnerable to Limited File Upload in various versions. This is due to a lack of proper checks to ensure lower-privileged roles cannot upload .css and .js files to arbitrary directories. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files to any directory within the WordPress root directory, which could lead to Stored Cross-Site Scripting. The Advanced File Manager Shortcodes plugin must be installed to exploit this vulnerability.
AI Analysis
Technical Summary
This vulnerability (CVE-2024-8725) affects the saadiqbal Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution. It arises from improper validation of file uploads, allowing authenticated users with limited privileges (Subscriber-level and above, with permissions granted by an administrator) to upload .css and .js files to any directory within the WordPress root. This can enable stored cross-site scripting attacks if malicious scripts are uploaded and executed. Exploitation requires the Advanced File Manager Shortcodes plugin to be installed. The CVSS 3.1 base score is 6.8, reflecting network attack vector, high impact on confidentiality and integrity, but requiring high attack complexity and low privileges.
Potential Impact
Successful exploitation can lead to stored cross-site scripting (XSS), compromising confidentiality and integrity of the affected WordPress site. Attackers with limited privileges can upload malicious scripts, potentially leading to unauthorized actions or data exposure within the site context. There is no indication of impact on availability. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict permissions to upload files in the Advanced File Manager plugin, especially for Subscriber-level users and roles with limited privileges. Review and limit the installation of the Advanced File Manager Shortcodes plugin if not necessary. Monitor for updates from the vendor or plugin author to apply official patches once released.
CVE-2024-8725: CWE-434 Unrestricted Upload of File with Dangerous Type in saadiqbal Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution
Description
Multiple plugins and/or themes for WordPress are vulnerable to Limited File Upload in various versions. This is due to a lack of proper checks to ensure lower-privileged roles cannot upload .css and .js files to arbitrary directories. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files to any directory within the WordPress root directory, which could lead to Stored Cross-Site Scripting. The Advanced File Manager Shortcodes plugin must be installed to exploit this vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2024-8725) affects the saadiqbal Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution. It arises from improper validation of file uploads, allowing authenticated users with limited privileges (Subscriber-level and above, with permissions granted by an administrator) to upload .css and .js files to any directory within the WordPress root. This can enable stored cross-site scripting attacks if malicious scripts are uploaded and executed. Exploitation requires the Advanced File Manager Shortcodes plugin to be installed. The CVSS 3.1 base score is 6.8, reflecting network attack vector, high impact on confidentiality and integrity, but requiring high attack complexity and low privileges.
Potential Impact
Successful exploitation can lead to stored cross-site scripting (XSS), compromising confidentiality and integrity of the affected WordPress site. Attackers with limited privileges can upload malicious scripts, potentially leading to unauthorized actions or data exposure within the site context. There is no indication of impact on availability. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict permissions to upload files in the Advanced File Manager plugin, especially for Subscriber-level users and roles with limited privileges. Review and limit the installation of the Advanced File Manager Shortcodes plugin if not necessary. Monitor for updates from the vendor or plugin author to apply official patches once released.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-09-11T19:50:32.883Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b2eb7ef31ef0b54f114
Added to database: 2/25/2026, 9:35:42 PM
Last enriched: 4/9/2026, 8:30:08 AM
Last updated: 4/12/2026, 1:14:35 AM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.