CVE-2024-13333

CVE-2024-13333 is an arbitrary file upload vulnerability in the Advanced File Manager plugin for WordPress, stemming from missing file type validation in the 'fma_local_file_system' function. It affects versions 5.2.12 through 5.2.13 of the plugin. The flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts under specific conditions.

Authenticated attackers with Subscriber-level access or higher, who have been granted upload permissions by a site administrator, can exploit this vulnerability. Exploitation requires the "Display .htaccess?" setting to be enabled in the plugin configuration. Successful attacks allow uploading arbitrary files to the affected WordPress site's server, potentially enabling remote code execution depending on the uploaded file type and server configuration.

Mitigation details are available in plugin advisories and patch notes. The Wordfence threat intelligence page provides vulnerability analysis, while WordPress plugin trac references include the vulnerable code at changeset rev=3200092 in class_fma_connector.php (line 78) and a fix in changeset 3222740. Security practitioners should update the Advanced File Manager plugin to a patched version beyond 5.2.13 and review configurations to disable unnecessary settings like "Display .htaccess?" where possible.