Description
Missing Authorization vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through <= 23.2.
Published: 2025-11-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The N‑Media Frontend File Manager plugin contains a missing authorization flaw that permits users to bypass configured access controls and interact with file management features. Attackers can upload, download, modify or delete files stored by the plugin, potentially exposing sensitive data or facilitating further compromise.

Affected Systems

Vendors: N‑Media. Product: Frontend File Manager plugin for WordPress. Versions affected include all releases up to and including 23.2.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to the WordPress web interface and relies on the plugin’s lack of proper permission checks, making it an application‑level attack that does not privilege escalation.

Generated by OpenCVE AI on April 29, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version that resolves the access control defect.
  • If an upgrade is not immediately possible, limit the plugin’s functionality to administrators only by adjusting WordPress role permissions.
  • Continuously monitor upload activity and file access logs for anomalous behavior and investigate any unauthorized actions.

Generated by OpenCVE AI on April 29, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared N-media
N-media frontend File Manager
Wordpress
Wordpress wordpress
Vendors & Products N-media
N-media frontend File Manager
Wordpress
Wordpress wordpress

Thu, 13 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through <= 23.2.
Title WordPress Frontend File Manager plugin <= 23.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

N-media Frontend File Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:12.942Z

Reserved: 2025-10-29T03:08:22.608Z

Link: CVE-2025-64265

cve-icon Vulnrichment

Updated: 2025-11-13T17:55:13.214Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T10:15:51.947

Modified: 2026-04-27T16:16:38.900

Link: CVE-2025-64265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:15:23Z

Weaknesses