Description
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.
Published: 2026-06-23
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend File Manager Plugin for WordPress does not enforce its nonce verification on the file download handler, allowing attackers without authentication to download any file uploaded by any user by iterating through file identifiers. This flaw exposes confidential user data and can lead to the disclosure of arbitrary files, potentially including sensitive documents or credentials stored by site users. The breach is confined to confidentiality; integrity and availability are not directly affected.

Affected Systems

WordPress sites running the Frontend File Manager Plugin up to version 23.6 are affected. The vendor is unknown, but the plugin name is Frontend File Manager Plugin and any WordPress installation that has not upgraded past 23.6 is at risk.

Risk and Exploitability

The vulnerability is exploitable by sending unauthenticated HTTP requests to the download endpoint and guessing numeric or sequential IDs. No CVSS score is published, and an EPSS score is not available, so the exploit probability cannot be quantified from the data, but the attack is straightforward and requires no special privileges. The flaw is not listed in CISA’s KEV catalogue, indicating no publicly known widespread exploitation as of now.

Generated by OpenCVE AI on June 23, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend File Manager Plugin to the latest version that removes the nonce enforcement flaw.
  • If an upgrade is not available or feasible, delete or disable the plugin to eliminate the vulnerable download endpoint.
  • Configure the web server or application firewall to block unauthenticated requests to the file download handler or to require authentication for any file retrieval.

Generated by OpenCVE AI on June 23, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress

Tue, 23 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-287

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.
Title Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download
References

Subscriptions

Frontend File Manager Plugin Frontend File Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-23T06:00:02.816Z

Reserved: 2026-05-12T08:47:44.253Z

Link: CVE-2026-8379

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T09:15:07Z

Weaknesses