CVE-2026-5337 - Vulnerability Details

Description

During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly validate user authorization for the requested uploaded file when processing download requests. By modifying the value of the 'file_id' parameter in the download endpoint (e.g., http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1), an attacker can access files belonging to other users, including privileged users such as administrators. This allows unauthorized access/read to sensitive data stored within the application.

Published: 2026-05-03

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Frontend File Manager Plugin allows a subscriber‑level authenticated user to request a file download without verifying ownership. By modifying the file_id query parameter in the download endpoint, an attacker can download any file uploaded by any user, including administrators, leading to a breach of confidentiality. This is an Insecure Direct Object Reference (IDOR) flaw. The vulnerability is thus a clear pathway for an attacker to read sensitive data stored in the application.

Affected Systems

WordPress sites that install the Frontend File Manager Plugin, versions 23.6 and earlier. The vulnerability exists in the plugin’s download endpoint and applies to all users with Subscriber‑level access or higher.

Risk and Exploitability

The CVSS score is not listed, but the EPSS score is unavailable and the issue is not in CISA KEV, indicating limited public exploitation data. However, the attack requires only an authenticated user with a simple HTTP request, so the likelihood of exploitation is high in environments where the plugin is enabled and the download endpoint is exposed. The exploitation results in unauthorized read access to any file the user privileges allow, posing a significant confidentiality risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

Frontend File Manager Plugin

unknown

Version	Status	Constraints
`0`	affected	≤ 23.6

No data.

Vendor Product Confidence Versions

Frontend File Manager Plugin

80%

Version	Status	Scheme	Platform
`[0,23.6]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest version of the Frontend File Manager Plugin (23.7 or later) once the maintainer releases a fix.
If an upgrade is not immediately possible, block the download endpoint for non‑admin users by implementing access control checks that validate that the requesting user owns the file or is an administrator.
Configure logging to record all download attempts and monitor for unauthorized activity to detect potential IDOR exploitation.

Generated by OpenCVE AI on May 3, 2026 at 07:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://wpscan.com/vulnerability/3e28aa78-3227-474a-b1db-1f5ea2c42d14/

History

Sun, 03 May 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Frontend File Manager Plugin Frontend File Manager Plugin frontend File Manager Plugin Wordpress Wordpress wordpress
Vendors & Products		Frontend File Manager Plugin Frontend File Manager Plugin frontend File Manager Plugin Wordpress Wordpress wordpress

Sun, 03 May 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-639

Sun, 03 May 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly validate user authorization for the requested uploaded file when processing download requests. By modifying the value of the 'file_id' parameter in the download endpoint (e.g., http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1), an attacker can access files belonging to other users, including privileged users such as administrators. This allows unauthorized access/read to sensitive data stored within the application.
Title		Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary Download Access via IDOR
References		https://wpscan.com/vulnerability/3e28aa78-3227-474a-b1db-1f5ea2c42d14/

Subscriptions

Frontend File Manager Plugin Frontend File Manager Plugin

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-05-03T06:00:05.977Z

Updated: 2026-05-03T06:00:05.977Z

Reserved: 2026-04-01T14:05:29.660Z

Link: CVE-2026-5337

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-03T07:16:24.687

Modified: 2026-05-03T07:16:24.687

Link: CVE-2026-5337

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-03T09:00:10Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object