Description
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugin WordPress plugin through 23.6's "Allow guest uploads" setting is enabled by an administrator, the same deletion primitive becomes reachable by unauthenticated users.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Frontend File Manager Plugin fails to confirm that the user requesting a delete action owns the target post or page. As a result, any authenticated user with author-level permissions and higher, or any visitor when the "Allow guest uploads" option is enabled by an administrator, can permanently delete any content on the site. This loss of content can disrupt site operations, erase valuable data, or remove critical information, but it does not provide code execution or additional privileges beyond the deletion right.

Affected Systems

WordPress sites running the Frontend File Manager Plugin version 23.6 or with the author role or higher can exploit the flaw, and if the plugin’s guest upload feature is enabled, unauthenticated visitors gain the same deletion capability.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of is not listed in the CISA KEV catalog, so no actively exploited code is known currently. Nonetheless the ability to delete all content constitutes a high‑impact risk for any site that relies on the plugin, especially if guest uploads are allowed. The most likely attack vector is an authenticated author or higher role performing a deletion, or an unauthenticated user exploiting the guest‑upload setting if present.

Generated by OpenCVE AI on June 26, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frontend File Manager Plugin to any version newer than 23.6 that implements the ownership check
  • If guest uploads are not required, disable the "Allow guest uploads" option so that unauthenticated users cannot trigger deletions
  • Remove the delete_posts capability from the WordPress author role (or any role that will not be allowed to delete content) using a role‑management plugin to limit deletion privileges until the plugin is updated

Generated by OpenCVE AI on June 26, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-285

Fri, 26 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugin WordPress plugin through 23.6's "Allow guest uploads" setting is enabled by an administrator, the same deletion primitive becomes reachable by unauthenticated users.
Title Frontend File Manager Plugin <= 23.6 - Author+ Arbitrary Post Deletion
References

Subscriptions

Frontend File Manager Plugin Frontend File Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-26T15:25:11.755Z

Reserved: 2026-05-12T08:47:46.793Z

Link: CVE-2026-8380

cve-icon Vulnrichment

Updated: 2026-06-26T15:22:51.910Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:00:05Z

Weaknesses