CVE-2026-5337

🗓️ 03 May 2026 06:00:05Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 17 Views🌐 WEB

Authenticated subscribers can download other users' files via IDOR in File Manager Plugin <=23.6.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-5337	3 May 202606:00	–	attackerkb
CNNVD	WordPress plugin Frontend File Manager Plugin 安全漏洞	3 May 202600:00	–	cnnvd
Cvelist	CVE-2026-5337 Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary Download Access via IDOR	3 May 202606:00	–	cvelist
EUVD	EUVD-2026-26818	3 May 202606:00	–	euvd
NVD	CVE-2026-5337	3 May 202607:16	–	nvd
Positive Technologies	PT-2026-36684	3 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-5337	4 May 202620:21	–	redhatcve
Vulnrichment	CVE-2026-5337 Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary Download Access via IDOR	3 May 202606:00	–	vulnrichment

Vulners

Node

najeebmedia frontend_file_manager_pluginRange≤23.6wordpress

[
  {
    "vendor": "Unknown",
    "product": "Frontend File Manager Plugin",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThanOrEqual": "23.6"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/3e28aa78-3227-474a-b1db-1f5ea2c42d14/

Parameter	Position	Path	Description	CWE
file_id	query param	/?do=wpfm_download	Authenticated attackers with Subscriber-level access can modify file_id in the download endpoint to access files of other users (IDOR).	CWE-639
nm_file_nonce	query param	/?do=wpfm_download	Authenticated attackers with Subscriber-level access can modify file_id in the download endpoint to access files of other users (IDOR).	CWE-639

17 Jun 2026 10:58Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.16.5

EPSS0.00212

SSVC

CWE-639