PT-2026-5093 · WordPress · Frontend File Manager Plugin
Md. Moniruzzaman Prodhan
+1
·
Published
2026-01-28
·
Updated
2026-01-28
·
CVE-2026-1280
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Frontend File Manager Plugin for WordPress versions prior to 23.6
Description
The Frontend File Manager Plugin for WordPress has a flaw that allows unauthorized file sharing. This is due to a missing check to ensure proper user permissions when handling the 'wpfm send file in email' AJAX action. An attacker can exploit this to share any uploaded file via email by providing a file ID. Because file IDs are sequential integers, attackers can potentially list all uploaded files and obtain sensitive data intended for administrators only. The vulnerable component is the
wpfm send file in email AJAX action.Recommendations
Update to version 23.6 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Frontend File Manager Plugin