The Frontend File Manager Plugin for WordPress in versions up to 23.5 lacks authentication checks before allowing email transmission. This flaw permits anyone on the internet to trigger the site’s SMTP mechanism to send arbitrary emails, effectively turning the website into an open relay that can be used for spam or phishing campaigns. Additionally, the plugin’s file ID guessing ability enables unauthenticated users to discover and download uploaded content that is not meant for public access, potentially exposing sensitive data. The weakness is identified as CWE-862, reflecting missing authorization.

WordPress sites that have the Frontend File Manager Plugin installed in any version 23.5 or older are susceptible. No vendor or product sub‑versions are listed beyond the maximum affected release, so any installation predating version 23.6 is at risk.

The CVSS score of 5.8 indicates a medium severity resulting from the lack of authentication combined with functionality that exploits the site’s email service. An EPSS score of 3% suggests that, while the exploitation probability is not negligible, it is relatively modest; the vulnerability is not cataloged by CISA in the KEV list. Attackers are likely to exploit the issue by crafting direct HTTP requests to the plugin’s email endpoint from the public internet, a path that requires no credentials and minimal reconnaissance.