File Manager Advanced Shortcode WordPress Plugin Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the File Manager Advanced Shortcode WordPress plugin, affecting all versions up to and including 2.5.4 (file-manager-advanced-shortcode) and 2.5.6 (advanced-file-manager-pro-premium). The vulnerability arises through the 'file_manager_advanced' shortcode, allowing authenticated attackers with Administrator-level access or higher to include and execute arbitrary JavaScript files on the server. This exploitation could bypass access controls, access sensitive data, or enable code execution, particularly if images or other 'safe' file types can be uploaded and included.

Impact

Exploitation of this vulnerability could lead to unauthorized inclusion and execution of JavaScript files on the server, with potential consequences such as bypassing access controls, accessing sensitive information, or executing code in scenarios where certain file types can be uploaded and included.

Remediation

Users of the File Manager Advanced Shortcode WordPress plugin should update to version 2.6.0. For those using the Advanced File Manager Pro Premium version, ensure to update to the latest patched version.