Impact
The Frontend File Manager Plugin fails to confirm that the user requesting a delete action owns the target post or page. As a result, any authenticated user with author-level permissions and higher, or any visitor when the "Allow guest uploads" option is enabled by an administrator, can permanently delete any content on the site. This loss of content can disrupt site operations, erase valuable data, or remove critical information, but it does not provide code execution or additional privileges beyond the deletion right.
Affected Systems
WordPress sites running the Frontend File Manager Plugin version 23.6 or with the author role or higher can exploit the flaw, and if the plugin’s guest upload feature is enabled, unauthenticated visitors gain the same deletion capability.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of is not listed in the CISA KEV catalog, so no actively exploited code is known currently. Nonetheless the ability to delete all content constitutes a high‑impact risk for any site that relies on the plugin, especially if guest uploads are allowed. The most likely attack vector is an authenticated author or higher role performing a deletion, or an unauthenticated user exploiting the guest‑upload setting if present.
OpenCVE Enrichment