CVE-2024-8746 is a vulnerability identified in the File Manager Pro plugin for WordPress, affecting all versions up to and including 8.3.9. The issue arises from the 'mk_file_folder_manager_shortcode' AJAX action, which lacks proper validation of file types during upload and download operations. This missing validation allows unauthenticated attackers, provided they have been granted access to the File Manager by an administrator, to upload and download arbitrary backup files on the web server hosting the WordPress site. Backup files can contain sensitive information such as database dumps, configuration files, or even executable code. By uploading malicious backup files or manipulating existing ones, attackers can potentially achieve remote code execution (RCE), compromising the server's confidentiality, integrity, and availability. The vulnerability is classified under CWE-434, which concerns unrestricted file uploads of dangerous types. The CVSS v3.1 score is 7.5 (High), reflecting network attack vector, high impact on confidentiality, integrity, and availability, no privileges required, but requiring user interaction. As of the publication date, no known exploits have been reported in the wild, but the risk remains significant due to the severity and ease of exploitation once access is granted. The vulnerability affects a widely used WordPress plugin, making it a critical concern for websites relying on File Manager Pro for file operations.

The impact of CVE-2024-8746 is substantial for organizations using the File Manager Pro plugin on WordPress sites. Successful exploitation can lead to unauthorized disclosure of sensitive backup files, exposing credentials, database contents, and configuration details. More critically, attackers can upload malicious files that enable remote code execution, allowing full compromise of the web server. This can result in data breaches, defacement, malware deployment, lateral movement within the network, and service disruption. Since WordPress powers a significant portion of the web, including many business, government, and e-commerce sites, the vulnerability poses a widespread risk. The requirement for attacker access to the File Manager interface somewhat limits exploitation but does not eliminate risk, especially in environments with weak access controls or compromised administrator accounts. The vulnerability could be leveraged in targeted attacks against high-value websites or used as a foothold for broader network intrusion campaigns.

To mitigate CVE-2024-8746, organizations should immediately audit and restrict access to the File Manager Pro plugin, ensuring only trusted administrators have permissions. Disable or remove the plugin if it is not essential. Monitor and log all file upload and download activities within the plugin to detect suspicious behavior. Apply any available patches or updates from the vendor promptly once released. In the absence of patches, implement web application firewall (WAF) rules to block unauthorized AJAX requests to 'mk_file_folder_manager_shortcode' or restrict this endpoint to trusted IP addresses. Conduct regular security reviews of WordPress plugins and their configurations. Educate administrators on the risks of granting plugin access and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Additionally, isolate WordPress hosting environments to limit the impact of potential compromises and maintain regular backups stored securely offline.