Description
During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly validate user authorization for the requested uploaded file when processing download requests. By modifying the value of the 'file_id' parameter in the download endpoint (e.g., http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1), an attacker can access files belonging to other users, including privileged users such as administrators. This allows unauthorized access/read to sensitive data stored within the application.
Published: 2026-05-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend File Manager Plugin allows a subscriber‑level authenticated user to request a file download without verifying ownership. By modifying the file_id query parameter in the download endpoint, an attacker can download any file uploaded by any user, including administrators, leading to a breach of confidentiality. This is an Insecure Direct Object Reference (IDOR) flaw. The vulnerability is thus a clear pathway for an attacker to read sensitive data stored in the application.

Affected Systems

WordPress sites that install the Frontend File Manager Plugin, versions 23.6 and earlier. The vulnerability exists in the plugin’s download endpoint and applies to all users with Subscriber‑level access or higher.

Risk and Exploitability

The CVSS score is 6.5, and the EPSS score of 0.0002 indicates a very low but nonzero probability of exploitation. The issue is not listed in the CISA KEV catalogue. Still, the attack only requires an authenticated user with a basic HTTP request to the download endpoint, making it potentially feasible in environments where the plugin is active and the endpoint is reachable. The exploitation results in unauthorized read access to any file the user privileges allow, posing a significant confidentiality risk.

Generated by OpenCVE AI on May 4, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of the Frontend File Manager Plugin (23.7 or later) once the maintainer releases a fix.
  • If an upgrade is not immediately possible, block the download endpoint for non‑admin users by implementing access control checks that validate that the requesting user owns the file or is an administrator.
  • Configure logging to record all download attempts and monitor for unauthorized activity to detect potential IDOR exploitation.

Generated by OpenCVE AI on May 4, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 03 May 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress

Sun, 03 May 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly validate user authorization for the requested uploaded file when processing download requests. By modifying the value of the 'file_id' parameter in the download endpoint (e.g., http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1), an attacker can access files belonging to other users, including privileged users such as administrators. This allows unauthorized access/read to sensitive data stored within the application.
Title Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary Download Access via IDOR
References

Subscriptions

Frontend File Manager Plugin Frontend File Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-04T13:31:12.695Z

Reserved: 2026-04-01T14:05:29.660Z

Link: CVE-2026-5337

cve-icon Vulnrichment

Updated: 2026-05-04T13:31:08.575Z

cve-icon NVD

Status : Deferred

Published: 2026-05-03T07:16:24.687

Modified: 2026-05-04T15:23:19.800

Link: CVE-2026-5337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:00:04Z

Weaknesses