CVE-2024-9669 is a path traversal vulnerability categorized under CWE-22 found in the File Manager Pro – Filester plugin for WordPress. The flaw exists in the handling of the 'fm_locale' parameter, which allows an authenticated attacker with Administrator-level access or higher to perform Local JavaScript File Inclusion. By manipulating this parameter, attackers can include arbitrary files from the server filesystem, leading to execution of malicious code embedded in those files. This vulnerability enables attackers to bypass access controls, potentially exposing sensitive data or achieving remote code execution. The vulnerability affects all versions up to and including 1.8.5, with only a partial patch applied in version 1.8.5, indicating incomplete remediation. The CVSS v3.1 score is 7.2, reflecting high severity due to network attack vector, low attack complexity, required high privileges, and impacts on confidentiality, integrity, and availability. While no public exploits are currently known, the risk is significant given the common use of WordPress and this plugin in website management. The vulnerability requires authenticated administrator access, limiting exploitation to insiders or compromised accounts. However, once exploited, it can lead to full server compromise. The flaw underscores the importance of secure input validation and proper restriction of file inclusion paths in web applications.

The impact of CVE-2024-9669 is substantial for organizations using the File Manager Pro – Filester plugin on WordPress sites. Successful exploitation can lead to arbitrary code execution on the web server, allowing attackers to take full control of the affected system. This can result in unauthorized access to sensitive data, modification or deletion of website content, installation of backdoors or malware, and disruption of website availability. Given the administrative privileges required, the threat is particularly severe in environments where multiple users have elevated access or where credential compromise is possible. Organizations hosting customer data or critical business applications on WordPress sites with this plugin are at risk of data breaches, reputational damage, and operational downtime. The partial patch status increases the risk of incomplete remediation, potentially leaving systems vulnerable even after updates. The vulnerability also poses a risk for lateral movement within networks if attackers leverage compromised WordPress servers as footholds.

To mitigate CVE-2024-9669, organizations should immediately update the File Manager Pro – Filester plugin to the latest version beyond 1.8.5 once a complete patch is released. Until then, restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Disable or limit the use of the vulnerable 'fm_locale' parameter if possible through plugin configuration or web application firewall (WAF) rules. Implement strict input validation and sanitization controls at the web server or application layer to detect and block path traversal attempts. Monitor logs for unusual file inclusion or access patterns indicative of exploitation attempts. Consider isolating WordPress instances with this plugin in segmented network zones to limit potential lateral movement. Regularly audit user privileges and remove unnecessary administrator accounts. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous code execution behaviors. Finally, maintain up-to-date backups to enable recovery in case of compromise.