Impact
The Frontend File Manager Plugin for WordPress stores filenames submitted to a front‑end rename endpoint without sanitising or escaping them prior to rendering in the admin file‑manager view. As a result, a maliciously crafted filename that contains JavaScript can be persisted in the database as post meta and later executed when an administrator views the file list, granting the attacker the ability to run arbitrary code in the admin’s context. This behaviour is a classic example of a stored cross‑site scripting flaw.
Affected Systems
The vulnerability applies to all installations of the Frontend File Manager Plugin for WordPress with a version of 23.6 or earlier. Any WordPress site that has this plugin installed at those versions is potentially exposed, regardless of other configuration choices.
Risk and Exploitability
The CVSS score of 5.4 classifies the flaw as medium severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, with no listing in the CISA KEV catalog. However, the attack path is relatively straightforward: a user with Subscriber-level permissions or higher can upload a crafted filename through the file‑rename endpoint; the filename is stored as post meta; when an administrator later opens the file‑manager interface, the unsanitised string is rendered, causing script execution. While the risk to individual sites may be considered moderate, organisations relying on this plugin should prioritise remediation as the attack vector is clear and the impact is severe if an attacker gains access to an admin account.
OpenCVE Enrichment