The Frontend File Manager Plugin for WordPress is vulnerable to authenticated arbitrary file deletion in all releases up to version 23.6. The flaw arises from a case‑sensitive bypass in the wpfm_file_meta_update AJAX handler: an attacker can supply an uppercase WPFM_DIR_PATH value that bypasses the unset check, causing the plugin to overwrite the stored file path with an attacker‑controlled filesystem path. That path is later used directly by unlink() in delete_file_locally() without any containment validation, enabling the deletion of any file on the server. Consequently, a user with Subscriber or higher privileges can erase critical files such as wp‑config.php, potentially leading to complete site compromise.

Vendors and products affected are nmedia:Frontend File Manager Plugin for WordPress, versions 23.6 and earlier. Any WordPress site that has installed this plugin and has users with Subscriber or higher roles is susceptible. The vulnerability exists regardless of the overall WordPress version or hosting environment, as the flaw is confined to the plugin’s internal file‑management routines.

With a CVSS score of 8.1, the vulnerability is classified as High severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, but the lack of publicly known exploits combined with the severity suggests a moderate likelihood of exploitation. The assault vector is authenticated, relying on legitimate Subscriber access to the plugin’s AJAX endpoint (wpfm_file_meta_update). An attacker must first log into the WordPress site with a Subscriber role, then craft a request that exploits the sanitization bypass to direct unlink() at an arbitrary path; success leads to deletion of arbitrary server files.