The Frontend Post Submission Manager Lite plugin contains a missing authorization flaw in the media_delete_action function that allows any unauthenticated web user to delete files stored on the server. Because the vulnerability permits arbitrary removal of attachments, an attacker can erase media used by a WordPress site, compromising content availability and potentially disrupting user experience. This flaw falls under CWE‑862, a missing authorization weakness. The impact is data loss rather than code execution or privilege escalation.

WordPress sites that have installed the Frontend Post Submission Manager Lite plugin from version 1.0 up to and including 1.2.6. These installations are directly vulnerable until the plugin is updated to a more recent release that implements proper authentication checks for the delete action.

With a CVSS score of 5.3, the overall severity is moderate; the EPSS score is below 1 %, indicating low predicted exploitation likelihood, and the vulnerability is not catalogued in the CISA KEV list. The flaw can be exploited remotely by sending an unauthenticated HTTP request to the media_delete_action endpoint, so any publicly accessible WordPress installation that has the plugin enabled is potentially at risk. No additional credentials or network proximity are required, making the attack vector effectively public.