PT-2025-48007 · WordPress · Frontend File Manager Plugin
Rajesh Singh
·
Published
2025-11-25
·
Updated
2025-11-25
·
CVE-2025-13382
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Frontend File Manager Plugin for WordPress versions prior to 23.4
Description
The plugin does not validate file ownership before processing file rename requests. This allows authenticated attackers with Subscriber-level access or higher to rename files uploaded by other users. The issue is present in the '/wpfm/v1/file-rename' API endpoint, where the
fileid parameter is used without proper validation.Recommendations
Update the Frontend File Manager Plugin for WordPress to version 23.4 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Frontend File Manager Plugin