Description
The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter.
Published: 2025-11-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Insecure Direct Object Reference allowing arbitrary file renaming by authenticated users
Action: Upgrade plugin
AI Analysis

Impact

The Frontend File Manager Plugin for WordPress contains an insecure direct object reference in the REST API endpoint '/wpfm/v1/file-rename'. This flaw permits authenticated users with Subscriber level or higher access to rename any file belonging to another user by specifying its identifier. The result is a form of privilege abuse that can be used to manipulate file names, potentially obfuscate malicious files, overwrite or hide important data, or facilitate further exploitation if file names are part of configuration or referencing mechanisms. The weakness is classified as CWE-639, reflecting improper access control over resources. The overall security impact is moderate; the vulnerability does not lead directly to code execution but can undermine the integrity of user data and complicate system administration.

Affected Systems

Affected systems are WordPress installations that have the nmedia Frontend File Manager Plugin installed in any version up through 23.4 inclusive. The vulnerable versions include all releases prior to 23.5, where the intended fix was applied. Administrators should verify whether their site runs any of these earlier versions.

Risk and Exploitability

The CVSS score for this vulnerability is 4.3, indicating moderate risk. The EPSS score is less than 1%, suggesting a very low exploitation probability at present. The issue is not listed in the CISA KEV catalog. Exploitation requires that the attacker be authenticated under a role of Subscriber or higher, which is typically a regular WordPress user. The attacker can trigger the rename by sending a request to the API endpoint and providing a valid file identifier that does not belong to them. Because the plugin does not validate ownership before processing the rename, the action succeeds and the targeted file is renamed. Despite the mild severity, the presence of this flaw can create a foothold for more serious attacks or disrupt normal operations if file names are relied upon by other components. The attacker’s capability is limited to renaming, with no direct privilege escalation, but the potential for deception or confusion makes it a notable security concern.

Generated by OpenCVE AI on April 21, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend File Manager Plugin to version 23.5 or later, where the file‑rename API now enforces ownership checks.
  • Restrict Subscriber roles from using the file‑rename REST endpoint by disabling the endpoint with a web‑application firewall or security plugin.
  • Limit the ability of lower‑privileged users to upload or rename files by adjusting WordPress role capabilities or disabling file uploads for Subscriber users.

Generated by OpenCVE AI on April 21, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 26 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Najeebmedia
Najeebmedia frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Najeebmedia
Najeebmedia frontend File Manager Plugin
Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter.
Title Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Najeebmedia Frontend File Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:25.152Z

Reserved: 2025-11-18T20:35:25.380Z

Link: CVE-2025-13382

cve-icon Vulnrichment

Updated: 2025-11-25T14:53:19.087Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T08:15:50.253

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses