Advanced File Manager Plugin Vulnerable

The “Advanced File Manager” plugin for WordPress, particularly in its versions up to and including 5.2.10, has been identified as vulnerable to arbitrary file uploads due to missing file type validation in critical PHP scripts such as class_fma_connector.php, constants.php, and file_manager_advanced.php. This vulnerability allows authenticated attackers with at least Subscriber-level access (granted permissions by an Administrator) to upload arbitrary files to the server. These files could include malicious scripts that enable remote code execution, creating severe security risks. Bots and hackers actively scan for these vulnerabilities, making it essential for website administrators to understand and mitigate these risks.

The class_fma_connector.php file serves as a connector or intermediary for file management operations within the plugin. Its lack of proper file type validation allows malicious users to exploit its functionality, uploading executable files disguised as harmless uploads. Similarly, the constants.php file often contains configuration data and system constants critical to the plugin’s operation. If accessed by unauthorized users, it could leak sensitive information about the server’s environment. Lastly, the file_manager_advanced.php script facilitates core file management operations and is a potential gateway for attackers to manipulate or overwrite files on the server.

These files collectively represent a significant security risk when improperly secured. Exploiting the vulnerabilities in these scripts, attackers can gain unauthorized access, install malware, or launch broader attacks against the website or its visitors. Consequently, website administrators should take immediate measures to either update, secure, or remove these vulnerable scripts to protect their sites.


Purpose of the Vulnerable Files

The class_fma_connector.php file plays a pivotal role in handling requests related to file uploads, deletions, and modifications. It acts as a backend processor that interfaces between the user’s actions on the WordPress dashboard and the server’s file system. This script is vital for streamlining file operations but, when left unvalidated, opens doors to arbitrary file uploads.

The constants.php file is generally used to define constants for plugin configuration, such as directory paths, allowed file types, or system settings. These constants are critical for maintaining the plugin’s functionality and ensuring seamless operations across different server environments. However, improper access controls can make this file a source of sensitive information leakage.

The file_manager_advanced.php script serves as the main file management module. It enables users to upload, edit, and organize files directly from the WordPress dashboard. This functionality is crucial for administrators who need an efficient way to manage website files without resorting to FTP or cPanel. Unfortunately, the absence of robust security measures in this script makes it a target for attackers aiming to gain control of server resources.

Together, these files are instrumental for the plugin’s operations but also represent significant vulnerabilities if not secured. Their misuse can compromise the entire website and expose user data to malicious actors.


Do You Need These Files for Your Website?

Whether your website requires the class_fma_connector.php, constants.php, and file_manager_advanced.php files depends on your specific use of the ” Advanced File Manager ” plugin. If you actively rely on this plugin to manage files directly from your WordPress dashboard, these scripts are essential for its functionality. However, their presence must be justified by necessity and balanced with robust security measures.

If your website doesn’t rely on frequent file management through the WordPress interface or you use alternative methods like FTP or cPanel, it might be safer to deactivate and delete the plugin altogether. Modern WordPress themes and plugins often offer native file management features that reduce dependency on third-party solutions, further mitigating risks.

For those who choose to retain these files, it is critical to update the plugin to the latest patched version and implement additional security measures such as file upload validation, strict user permissions, and web application firewalls. If an update is unavailable or the plugin is abandoned by its developers, consider switching to a more secure alternative to reduce exposure to vulnerabilities.

Ultimately, retaining these files on your server depends on their necessity and your ability to secure them effectively. Assessing your website’s needs and conducting regular security audits will help you make an informed decision.


Why Hackers Target These Vulnerable Advanced File Manager Plugin

Hackers and malicious bots are drawn to these vulnerable files due to their potential to facilitate arbitrary file uploads and subsequent remote code execution. The lack of file type validation in the class_fma_connector.php script allows attackers to upload malicious scripts disguised as legitimate files. These scripts can be executed on the server to gain unauthorized access, manipulate data, or deploy malware.

The constants.php file is another tempting target because it often contains configuration settings and sensitive information about the plugin or server. Accessing this file can provide attackers with valuable intelligence, enabling them to exploit other weaknesses or launch targeted attacks.

Finally, the file_manager_advanced.php script offers a comprehensive interface for managing files, making it a powerful tool in the hands of attackers. By gaining control of this file, hackers can delete, modify, or overwrite files on the server, potentially compromising the entire website or infecting visitors with malicious content.

These files are frequently targeted because they represent a combination of utility and vulnerability. Understanding their purpose and securing them effectively is critical for maintaining your website’s integrity and protecting against malicious attacks.

Protecting Against “Advanced File Manager” Vulnerability

Update the plugin to the latest version. If updates don’t fix it, remove the plugin. Regularly backup your website. Scan for malware using security plugins. This mitigates risks from the vulnerable files.

The vulnerability allows attackers to upload harmful files. These files could compromise your website and data. Removing the plugin or disabling its features is crucial. Monitor website activity for any unusual behavior.

Consider using a web application firewall. This can help prevent attacks and block malicious requests. Set strong passwords and limit user access to sensitive areas. This reduces the risk of unauthorized access.

Top 5 Security Plugins:

  1. Wordfence Security: https://wordpress.org/plugins/wordfence/
  2. Sucuri Security: https://wordpress.org/plugins/sucuri-scanner/
  3. iThemes Security: https://wordpress.org/plugins/better-wp-security/
  4. All In One WP Security & Firewall: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
  5. MalCare Security: https://wordpress.org/plugins/malcare/

Example Malicious File Content (Illustrative):

class_fma_connector.php (Example):

<?php 
// ... other code ...
function handle_upload($file) {
    // ... vulnerable code ...
    move_uploaded_file($file['tmp_name'], $upload_path); // Example of vulnerable upload
    // ... other code ...
}
// ... other code ...
?>

constants.php (Example):

<?php
// ... other code ...
define('UPLOAD_DIR', '/var/www/html/wp-content/uploads/'); // Example of hardcoded path 
// ... other code ...
?>

file_manager_advanced.php (Example):

<?php
// ... other code ...
if (isset($_POST['action'])) {
    // ... vulnerable code ...
    if ($_POST['action'] == 'delete_file') {
        unlink($_POST['file']); // Example of vulnerable file deletion
    }
    // ... other code ...
}
// ... other code ...
?>
  • WordPress Advanced File Manager Vulnerability
  • Arbitrary File Upload WordPress
  • Stored Cross-Site Scripting (XSS)
  • class_fma_connector.php
  • constants.php
  • file_manager_advanced.php
  • WordPress Security Plugin
  • Website Security Best Practices

WordPress Advanced File Manager Vulnerability: The “Advanced File Manager” plugin has a significant vulnerability. Users must update or remove it quickly.

Arbitrary File Upload WordPress: This plugin allows attackers to upload harmful files. It’s a serious security risk for WordPress sites.

Stored Cross-Site Scripting (XSS): This plugin can introduce Stored XSS vulnerabilities. It’s vital for website security to address this.

class_fma_connector.php: The file class_fma_connector.php may be part of the vulnerability. Plugin updates or removal can help.

constants.php: The file constants.php might be vulnerable to arbitrary file upload attacks. Ensure to update/remove the plugin.

file_manager_advanced.php: The file file_manager_advanced.php may contain XSS risks. Security plugins and updates are recommended.

WordPress Security Plugin: Use Wordfence, Sucuri, or other top plugins to secure your site. Protect against malicious uploads.

Website Security Best Practices: Regular backups, updates, and strong passwords are essential. Follow best practices for top security.

Disclaimer: This information is for educational purposes. The provided code examples are simplified and illustrative. It’s crucial to consult with a security professional for specific website protections. Always prioritize updating or removing vulnerable plugins.

Using .htaccess to Protect Vulnerable Advanced File Manager Plugin

The .htaccess file is a powerful tool for securing specific files on your server by restricting access. To protect files like class_fma_connector.php, constants.php, and file_manager_advanced.php, you can block unauthorized access by denying direct requests and allowing only specific IPs or users.

  1. Restrict access to sensitive files using <Files> directives. This ensures that external users cannot directly execute or view the contents of these files.
  2. You can also set up specific rules to allow access only to trusted IPs or restrict access entirely.
  3. Another method is to redirect attempts to access these files to a custom error page, ensuring no sensitive data is exposed.

Example .htaccess File for Protection:

<Files "class_fma_connector.php">
    Require all denied
</Files>

<Files "constants.php">
    Require all denied
</Files>

<Files "file_manager_advanced.php">
    Require all denied
</Files>

This example blocks all direct access to these files, protecting them from external threats.


Using robots.txt to Protect Vulnerable Files

The robots.txt file can instruct search engine crawlers not to index or access specific files. While this doesn’t prevent malicious actors, it reduces the likelihood of exposing these files in search results.

  1. Use robots.txt to disallow access to directories containing sensitive files. This ensures these files are less discoverable.
  2. Specify paths to individual files like class_fma_connector.php, constants.php, and file_manager_advanced.php to explicitly block crawlers.
  3. Remember, robots.txt only controls compliant bots; malicious bots may still attempt access, so combine it with other security measures.

Example robots.txt File:

User-agent: *
Disallow: /path/to/class_fma_connector.php
Disallow: /path/to/constants.php
Disallow: /path/to/file_manager_advanced.php

Replace /path/to/ with the actual paths to your files to ensure crawlers avoid indexing them.


Using Security Headers to Protect Vulnerable Files

Security headers provide additional layers of protection by dictating how browsers should handle website resources, reducing exploitation risks. Headers like Content-Security-Policy (CSP) and X-Content-Type-Options can mitigate attacks targeting files such as class_fma_connector.php, constants.php, and file_manager_advanced.php.

  1. Content Security Policy (CSP): Prevent unauthorized scripts from executing by defining trusted sources.
  2. X-Frame-Options: Block clickjacking attacks by preventing your site from being loaded in an iframe.
  3. X-Content-Type-Options: Prevent MIME-type sniffing by enforcing declared content types.

Example of Security Headers Implementation:

<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self';"
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

This configuration ensures that only resources from your domain are executed, reducing risks to sensitive files. Combine these headers with file restrictions for robust protection.

The “Advanced File Manager” plugin for WordPress is reported to be vulnerable to arbitrary file uploads due to vulnerabilities in the files class_fma_connector.php, constants.php, and file_manager_advanced.php. This allows attackers to upload malicious files to a WordPress site, potentially leading to a complete takeover of the site.

The class_fma_connector.php file is part of the Advanced File Manager plugin and is used for connecting to the file manager. The vulnerability in this file allows attackers to bypass authentication and upload files to the server. This can be used to execute arbitrary code on the server and take control of the site.

The constants.php file is also part of the Advanced File Manager plugin and contains constant definitions used throughout the plugin. The vulnerability in this file allows attackers to modify these constants, potentially leading to unintended behavior in the plugin and the site as a whole.

The file_manager_advanced.php file is the main file of the Advanced File Manager plugin and is used for handling file management tasks. The vulnerability in this file allows attackers to upload files to the server without proper validation, leading to arbitrary file uploads.

To learn more about this vulnerability

and how to protect your WordPress site, you can check out the following websites:

  1. The official WordPress Vulnerability Report: https://wordpress.org/news/2021/10/wordpress-5-8-1-security-and-maintenance-release/
  2. The official WordPress Plugin Vulnerabilities page: https://wordpress.org/support/plugin-directory/vulnerabilities/
  3. The Sucuri Blog, which provides detailed analysis of the vulnerability: https://blog.sucuri.net/2021/10/advanced-file-manager-wordpress-plugin-vulnerability-arbitrary-file-upload.html
  4. The Wordfence Blog, which also provides analysis and steps to take to protect your site: https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-advanced-file-manager-plugin-put-90000-sites-at-risk/
  5. The official Advanced File Manager plugin page on the WordPress Plugin Directory: https://wordpress.org/plugins/advanced-file-manager/
  6. The plugin developer’s website, where you can find more information about the plugin and any updates or patches that have been released: https://www.webdorado.com/

to the latest version (4.8.1) as soon as possible to protect your site from this vulnerability. If you are unable to update the plugin, consider disabling or removing it until a patch is available. Additionally, ensure that your WordPress site is running the latest version of WordPress, as outdated versions can also be vulnerable to attacks.

To prevent arbitrary file uploads in the future, it is important to only use trusted plugins and themes, keep them up-to-date, and regularly scan your site for vulnerabilities. Additionally, consider implementing a web application firewall (WAF) to provide an extra layer of security for your site.

CVE-2024-11391 identifies a critical security flaw in the WordPress plugin “Advanced File Manager,” affecting versions up to and including 5.2.10 . This vulnerability arises from inadequate file type validation in the ‘class_fma_connector.php’ file, allowing authenticated users with at least Subscriber-level access—and permissions granted by an Administrator—to upload arbitrary files to the server. Such unauthorized uploads can lead to severe consequences, including potential remote code execution, which compromises the site’s integrity and security.

The core issue lies in the plugin’s failure

to properly validate file types during the upload process. Attackers can exploit this weakness by uploading malicious files, such as scripts, that the server may execute, leading to unauthorized actions or data breaches. Given the widespread use of the “Advanced File Manager” plugin, this vulnerability poses a significant threat to numerous WordPress sites, especially those that grant Subscriber-level users file upload permissions.

To mitigate the risks associated with CVE-2024-11391, it is imperative for site administrators to update the “Advanced File Manager” plugin to the latest version where this vulnerability has been addressed. Additionally, reviewing and adjusting user permissions to limit file upload capabilities to trusted users can further enhance security. Implementing robust input validation and employing security plugins that monitor and restrict unauthorized file uploads are also recommended practices to safeguard against such vulnerabilities.

For more detailed information on CVE-2024-11391, consider visiting the following resources:
  1. Wordfence Threat Intelligence – Provides comprehensive details on WordPress vulnerabilities, including CVE-2024-11391.
  2. CVE Details – Offers in-depth information on various CVEs, including related vulnerabilities.
  3. Acunetix Vulnerability Database – Features analyses of web vulnerabilities, including those affecting WordPress plugins.

Staying informed and proactive is crucial in maintaining the security of WordPress sites against such vulnerabilities.