Description
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend File Manager Plugin for WordPress allows file downloads without checking its nonce token, permitting unauthenticated users to retrieve any file uploaded by the plugin. This weakness is an improper access control flaw that lets an attacker acquire files that may contain sensitive data. Based on the description, it is inferred that downloading such files could expose confidential documents or credentials stored by site users, although the specific impact depends on what users have uploaded.

Affected Systems

WordPress sites that use the Frontend File Manager Plugin version 23.6 or earlier are affected. The plugin vendor is not identified, but any WordPress installation containing the vulnerable version of the plugin remains at risk until the plugin is updated beyond 23.6.

Risk and Exploitability

The flaw can be exploited by sending unauthenticated HTTP requests to the download endpoint and iterating numeric or sequential identifiers. No authentication or additional privileges are required to trigger the vulnerability. The CVSS score of 7.5 indicates high severity, but the EPSS score of < 1% shows that exploitation is unlikely at present. The issue is not listed in CISA’s KEV catalogue, suggesting no widely reported exploitation.

Generated by OpenCVE AI on June 24, 2026 at 13:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Frontend File Manager Plugin to a version that fixes the Improper Access Control vulnerability in the download handler.
  • If an update is not available, disable or uninstall the plugin to remove the vulnerable endpoint that allows unauthorized file downloads.
  • Configure your web server or WAF to block unauthenticated requests to the plugin's download path, or enforce user authentication before allowing file retrieval.

Generated by OpenCVE AI on June 24, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 23 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-287

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress

Tue, 23 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-287

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.
Title Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download
References

Subscriptions

Frontend File Manager Plugin Frontend File Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-23T13:23:57.974Z

Reserved: 2026-05-12T08:47:44.253Z

Link: CVE-2026-8379

cve-icon Vulnrichment

Updated: 2026-06-23T13:23:40.971Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:00:07Z

Weaknesses

No weakness.