CVE-2024-9669: 
WordPress vulnerability analysis and mitigation

The File Manager Pro – Filester plugin for WordPress contains a Local JavaScript File Inclusion vulnerability (CVE-2024-9669) affecting all versions up to and including 1.8.5. The vulnerability exists in the 'fm_locale' parameter and was partially patched in version 1.8.5 (NVD).

The vulnerability allows authenticated attackers with Administrator-level access and above to include and execute arbitrary files on the server. This can lead to the execution of any PHP code contained within those files. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. This poses a significant risk to affected WordPress installations, particularly when combined with administrator-level access (NVD).

Users should update to a version newer than 1.8.5, as the vulnerability was partially patched in this version. Site administrators should also review and limit administrator access to trusted users only (NVD).