Lucene search
K

263 matches found

Nuclei
Nuclei
added 10 hours ago29 views

Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending

Frontend File Manager Plugin WordPress plugin through 23.5 contains an open relay and unauthorized file access vulnerability caused by lack of authentication and security checks, letting unauthenticated attackers send emails and access files, exploit requires no authentication. id: CVE-2026-0829...

5.8CVSS6.1AI score0.00682EPSS
Exploits0References4
Nuclei
Nuclei
added 10 hours ago15 views

Frontend File Manager < 21.3 - Unauthenticated File Renaming

The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server id:...

5.3CVSS6.3AI score0.06199EPSS
Exploits2References2
Nuclei
Nuclei
added 10 hours ago17 views

WordPress Frontend File Manager < 4.0 & N-Media Post Frontend < 1.1 - Arbitrary File Upload

The Frontend File Manager plugin 4.0 and N-Media Post Front-end Form plugin 1.1 for WordPress were vulnerable to arbitrary file uploads due to missing file type validation. This allowed unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution. id:...

9.8CVSS6.3AI score0.05515EPSS
Exploits2References5
NVD
NVD
added 6 days ago10 views

CVE-2026-12277

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server such as wp-config.php when guest upload mode is enabled. Deleting...

8.7CVSS0.00231EPSS
Exploits1References1
CVE
CVE
added 6 days ago28 views

CVE-2026-12277

The CVE-2026-12277 vulnerability affects the WordPress Frontend File Manager Plugin (through version 23.6). It describes an improper validation of a file path derived from user input when deleting a referenced file, enabling unauthenticated users to delete arbitrary server files (e.g., wp-config....

8.7CVSS5.9AI score0.00231EPSS
Exploits1References1
Cvelist
Cvelist
added 6 days ago37 views

CVE-2026-12277 Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server such as wp-config.php when guest upload mode is enabled. Deleting...

0.00231EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/28 12:30 a.m.9 views

EUVD-2026-39968

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfmdirpath parameter sanitization in the wpfmfilemetaupdate AJAX handler, where supplying WPFMDIRPATH i...

8.1CVSS5.8AI score0.00417EPSS
Exploits0References4
NVD
NVD
added 2026/06/28 12:16 a.m.12 views

CVE-2026-8095

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfmdirpath parameter sanitization in the wpfmfilemetaupdate AJAX handler, where supplying WPFMDIRPATH i...

8.1CVSS0.00417EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/27 11:28 p.m.7 views

CVE-2026-8095

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfmdirpath parameter sanitization in the wpfmfilemetaupdate AJAX handler, where supplying WPFMDIRPATH i...

8.1CVSS5.8AI score0.00417EPSS
Exploits0References4
CVE
CVE
added 2026/06/27 11:28 p.m.25 views

CVE-2026-8095

CVE-2026-8095 — The Frontend File Manager Plugin for WordPress (up to version 23.6) is vulnerable to Authenticated Arbitrary File Deletion. A case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler allows an attacker to overwrite the stored file...

8.1CVSS5.8AI score0.00417EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/27 11:28 p.m.29 views

CVE-2026-8095 Frontend File Manager Plugin <= 23.6 - Authenticated (Subscriber+) Arbitrary File Deletion

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfmdirpath parameter sanitization in the wpfmfilemetaupdate AJAX handler, where supplying WPFMDIRPATH i...

8.1CVSS0.00417EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.27 views

PT-2026-53077

Name of the Vulnerable Software and Affected Versions Frontend File Manager Plugin versions prior to 23.7 Description Authenticated users with Subscriber-level access can delete arbitrary files on the server, including sensitive files like wp-config.php, which may lead to a full site takeover. Th...

8.1CVSS5.8AI score0.00417EPSS
Exploits0References11
NVD
NVD
added 2026/06/26 7:16 a.m.9 views

CVE-2026-8380

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugi...

6.5CVSS0.00342EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/26 6:0 a.m.36 views

CVE-2026-8380 Frontend File Manager Plugin <= 23.6 - Author+ Arbitrary Post Deletion

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugi...

0.00342EPSS
Exploits1References1
CVE
CVE
added 2026/06/26 6:0 a.m.28 views

CVE-2026-8380

The CVE-2026-8380 issue affects the Frontend File Manager (nmedia-user-file-uploader) WordPress plugin

6.5CVSS5.9AI score0.00342EPSS
Exploits1References1
NVD
NVD
added 2026/06/23 7:16 a.m.12 views

CVE-2026-8378

The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability...

5.4CVSS0.00133EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 7:16 a.m.12 views

CVE-2026-8379

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating...

7.5CVSS0.0024EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 6:0 a.m.14 views

CVE-2026-8378

CVE-2026-8378 affects the WordPress plugin “Frontend File Manager” up to version 23.6. The vulnerability is a Stored Cross-Site Scripting (XSS) in the frontend file-rename endpoint: the plugin does not sanitize or escape the submitted filename before storing it as post meta and re-rendering it in...

5.4CVSS5.9AI score0.00133EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 6:0 a.m.39 views

CVE-2026-8378 Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File Rename

The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability...

0.00133EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 6:0 a.m.39 views

CVE-2026-8379 Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating...

0.0024EPSS
Exploits0References1
Rows per page
Query Builder