cvedb.io
CVE-2024-8725
MEDIUM · CVSS 6.8
EPSS exploitation probability: 0%
Published 2024-09-26T11:15:11.613 · Last modified 2026-06-17T08:23:11.617

Summary

Multiple plugins and/or themes for WordPress are vulnerable to Limited File Upload in various versions. This is due to a lack of proper checks to ensure lower-privileged roles cannot upload .css and .js files to arbitrary directories. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files to any directory within the WordPress root directory, which could lead to Stored Cross-Site Scripting. The Advanced File Manager Shortcodes plugin must be installed to exploit this vulnerability.

Affected products

advancedfilemanager — advanced_file_manager

Does this affect you?

Add your gear to cvedb and we'll alert you only when advancedfilemanager ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.