CVE-2021-4369

Name of the Vulnerable Software and Affected Versions Frontend File Manager plugin for WordPress versions up to, and including, 18.2

Description The issue arises from lacking authorization protections, checks against users editing other's posts, and a missing security nonce on the "wpfm edit file title desc" AJAX action. This allows unauthenticated attackers to edit the content and title of every page on the site.

Recommendations For versions up to, and including, 18.2, consider disabling the "wpfm edit file title desc" AJAX action until a patch is available. Restrict access to the Frontend File Manager plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.