Description
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
Published: 2026-01-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access and exfiltration
Action: Apply Patch
AI Analysis

Impact

The Frontend File Manager Plugin for WordPress lacks a capability check on the 'wpfm_send_file_in_email' AJAX action, allowing unauthenticated users to request file deliveries by specifying a file ID. Because the plugin assigns sequential integer IDs to uploaded files, an attacker can enumerate all files on the site and transfer any that were intended to be visible only to administrators. The weakness is a missing permission check, classified as CWE-862, and the resulting impact is the disclosure and potential exfiltration of sensitive data.

Affected Systems

All installations of the Frontend File Manager Plugin by nmedia running WordPress, from the earliest release through version 23.5, are affected. This includes every site that has not upgraded beyond 23.5.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, but the EPSS score is less than 1% and it is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. The attack requires only an unauthenticated HTTP request to the AJAX endpoint with a crafted 'file_id' parameter, making exploitation trivial for anyone who can send requests to the site. Once a file ID is known, the attacker can retrieve the file via email without further authentication, making the potential for data leakage significant, especially for confidential documents uploaded by administrators.

Generated by OpenCVE AI on April 15, 2026 at 18:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Frontend File Manager Plugin to the latest available version that includes the missing authorization check.
  • If an upgrade is not immediately possible, restrict the use of the 'wpfm_send_file_in_email' feature to administrator roles by adjusting plugin settings or by blocking the AJAX action in the web server configuration.
  • Review and audit all files uploaded to the site for sensitive content, and delete or secure any that should not be publicly accessible.
  • Continue to keep WordPress core and all plugins up to date, and run regular security scans to detect unauthorized file sharing activity.

Generated by OpenCVE AI on April 15, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Najeebmedia
Najeebmedia frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Najeebmedia
Najeebmedia frontend File Manager Plugin
Wordpress
Wordpress wordpress

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
Title Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Najeebmedia Frontend File Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:20.675Z

Reserved: 2026-01-20T22:17:51.761Z

Link: CVE-2026-1280

cve-icon Vulnrichment

Updated: 2026-01-28T15:55:49.124Z

cve-icon NVD

Status : Deferred

Published: 2026-01-28T12:15:52.593

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses