CVE-2026-5337

Name of the Vulnerable Software and Affected Versions Frontend File Manager Plugin WordPress versions prior to 23.7

Description Authenticated attackers with Subscriber-level access or higher can perform an Insecure Direct Object Reference (IDOR) attack, which occurs when an application provides direct access to objects based on user-supplied input. The issue exists because the plugin fails to properly validate user authorization for requested uploaded files during download requests. By modifying the file id parameter in the 'do=wpfm download' endpoint, an attacker can gain unauthorized read access to sensitive files belonging to other users, including administrators.

Recommendations Update the plugin to a version later than 23.6. As a temporary workaround, restrict access to the 'do=wpfm download' endpoint or the file id parameter to minimize the risk of unauthorized file access.