CVE-2024-11391: 
WordPress vulnerability analysis and mitigation

The Advanced File Manager plugin for WordPress contains a critical security vulnerability (CVE-2024-11391) related to arbitrary file uploads. The vulnerability affects all versions up to and including 5.2.10, discovered and reported by Joshua Provoste on December 2, 2024. The issue stems from missing file type validation in the 'classfmaconnector.php' file (NVD).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434). It has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical issue lies in the insufficient validation of file types in the classfmaconnector.php component (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher, who have been granted permissions by an Administrator, to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution on the affected WordPress installations (NVD).

A fix has been implemented in the WordPress plugin repository as evidenced by the changelog (WordPress Plugin). Users are advised to update their Advanced File Manager plugin to the latest version available after 5.2.10.