cbcvebase.
CVE-2024-8725
published 2024-09-26

CVE-2024-8725: Multiple plugins and/or themes for WordPress are vulnerable to Limited File Upload in various versions. This is due to a lack of proper checks to ensure…

PriorityP428medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.35%
27.1th percentile
Multiple plugins and/or themes for WordPress are vulnerable to Limited File Upload in various versions. This is due to a lack of proper checks to ensure lower-privileged roles cannot upload .css and .js files to arbitrary directories. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files to any directory within the WordPress root directory, which could lead to Stored Cross-Site Scripting. The Advanced File Manager Shortcodes plugin must be installed to exploit this vulnerability.

Affected

5 ranges
VendorProductVersion rangeFixed in
advancedfilemanageradvanced_file_manager< 5.2.95.2.9
jose-node-cjs-runtime_projectjose-node-cjs-runtime>= 0 < 4.15.54.15.5
jose_projectjose>= 0 < 2.0.72.0.7
jose_projectjose>= 3.0.0 < 4.15.54.15.5
saadiqbaladvanced_file_manager_ultimate_file_manager_for_wordpress_and_document_library_s<= 5.2.8
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.