CVE-2021-4350

Name of the Vulnerable Software and Affected Versions Frontend File Manager plugin for WordPress versions up to, and including, 18.2

Description The issue is related to Unauthenticated HTML Injection due to lacking authentication protections on the wpfm send file in email AJAX action. This allows unauthenticated attackers to send emails using the site with custom subject, recipient email, and body containing unsanitized HTML content, effectively turning the site into a spam relay.

Recommendations For versions up to, and including, 18.2, update to a version that includes the necessary authentication protections for the wpfm send file in email AJAX action to prevent unauthenticated access.