Description
The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.
Published: 2026-06-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend File Manager Plugin for WordPress stores filenames submitted to a front‑end rename endpoint without sanitising or escaping them prior to rendering in the admin file‑manager view. As a result, a maliciously crafted filename that contains JavaScript can be persisted in the database as post meta and later executed when an administrator views the file list, granting the attacker the ability to run arbitrary code in the admin’s context. This behaviour is a classic example of a stored cross‑site scripting flaw.

Affected Systems

The vulnerability applies to all installations of the Frontend File Manager Plugin for WordPress with a version of 23.6 or earlier. Any WordPress site that has this plugin installed at those versions is potentially exposed, regardless of other configuration choices.

Risk and Exploitability

The CVSS score of 5.4 classifies the flaw as medium severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, with no listing in the CISA KEV catalog. However, the attack path is relatively straightforward: a user with Subscriber-level permissions or higher can upload a crafted filename through the file‑rename endpoint; the filename is stored as post meta; when an administrator later opens the file‑manager interface, the unsanitised string is rendered, causing script execution. While the risk to individual sites may be considered moderate, organisations relying on this plugin should prioritise remediation as the attack vector is clear and the impact is severe if an attacker gains access to an admin account.

Generated by OpenCVE AI on June 24, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend File Manager Plugin to the latest version that sanitises filenames before storage and rendering.
  • Remove all existing post meta entries that contain unescaped filenames, ensuring no malicious scripts remain persisted.
  • Configure a Content Security Policy that blocks inline scripts or restricts script sources to trusted domains to mitigate the impact of any remaining stored payloads.

Generated by OpenCVE AI on June 24, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress

Tue, 23 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.
Title Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File Rename
References

Subscriptions

Frontend File Manager Plugin Frontend File Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-23T12:36:40.104Z

Reserved: 2026-05-12T08:47:27.798Z

Link: CVE-2026-8378

cve-icon Vulnrichment

Updated: 2026-06-23T12:36:35.985Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')