PT-2026-5093 · WordPress · Frontend File Manager Plugin
Md. Moniruzzaman Prodhan
+1
·
Publicado
2026-01-28
·
Atualizado
2026-01-28
·
CVE-2026-1280
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Frontend File Manager Plugin for WordPress versions prior to 23.6
Description
The Frontend File Manager Plugin for WordPress has a flaw that allows unauthorized file sharing. This is due to a missing check to ensure proper user permissions when handling the 'wpfm send file in email' AJAX action. An attacker can exploit this to share any uploaded file via email by providing a file ID. Because file IDs are sequential integers, attackers can potentially list all uploaded files and obtain sensitive data intended for administrators only. The vulnerable component is the
wpfm send file in email AJAX action.Recommendations
Update to version 23.6 or later.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Frontend File Manager Plugin