cbcvebase.
CVE-2023-2068
published 2023-06-27

CVE-2023-2068: The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
39.62%
98.4th percentile
The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users.

Affected

1 ranges
VendorProductVersion rangeFixed in
advancedfilemanagerfile_manager_advanced_shortcode<= 2.3.2

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandGET <webshell_url>?cmd=<COMMAND>
  • Monitor for the multipart boundary string '----WebKitFormBoundaryI52DGCOt37rixRS1' in HTTP POST bodies to /wp-admin/admin-ajax.php, as this is the hardcoded boundary used by the public exploit.
  • Look for GET requests to newly uploaded .php files under the WordPress uploads/file-manager directory immediately following a POST to admin-ajax.php with action=fma_load_shortcode_fma_ui, indicating webshell execution via ?cmd= parameter.
  • Scan page source for the '_fmakey' token being exposed to unauthenticated users; its presence on a public-facing page indicates the shortcode is deployed in a vulnerable configuration exploitable without authentication.
  • ·The vulnerability is exploitable unauthenticated only when the File Manager Advanced Shortcode is placed on a public-facing page; if restricted to authenticated users, authentication is still required but the upload bypass still works.
  • ·The Shortcode plugin version 2.3.2 and lower are vulnerable; additionally, the parent File Manager Advanced plugin must be version 5.0.5 or lower to maintain the vulnerable configuration.
  • ·The exploit bypasses MIME type restrictions by supplying 'upload_allow=text/x-php' as a POST parameter, overriding the server-side allowed MIME type list; sites that explicitly block PHP MIME types at the web server level (e.g., via .htaccess or nginx config) may not be directly exploitable even if the plugin is vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.