Frontend File Manager < 4.0 & N-Media Post Front-end Form < 1.1 & - Arbitrary File Upload
Description
The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the nm_filemanager_upload_file and nm_postfront_upload_file AJAX actions. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated arbitrary file upload vulnerability in two WordPress plugins versions prior to fixed releases allows potentially RCE via missing file type validation in AJAX actions.
Vulnerability
The arbitrary file upload vulnerability exists in the Frontend File Manager plugin (versions < 4.0) and the N-Media Post Front-end Form plugin (versions < 1.1) for WordPress. The flaw is due to missing file type validation in the nm_filemanager_upload_file and nm_postfront_upload_file AJAX actions, allowing unauthenticated attackers to upload arbitrary files to the server. [1][2]
Exploitation
An attacker can exploit this vulnerability by sending a crafted request to the affected AJAX actions without any authentication. No special network position or user interaction is required. The attacker simply uploads a malicious file (e.g., a PHP web shell) via the vulnerable upload functionality. [1][2]
Impact
Successful exploitation allows the attacker to upload arbitrary files, including executable code, which can lead to remote code execution. This could result in full compromise of the WordPress site, including data theft, defacement, or further escalation. The attacker may achieve the same privileges as the web server process. [1][2]
Mitigation
Updates are available: Frontend File Manager should be updated to version 4.0 or later [1], and N-Media Post Front-end Form should be updated to version 1.1 or later [2]. No workarounds are documented; the only mitigation is to apply the available patches. [2]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5<1.1+ 1 more
- (no CPE)range: <1.1
- (no CPE)range: 0
- Range: <4.0
- nmedia/Frontend File Manager Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- wordpress.org/plugins/nmedia-user-file-uploader/mitre
- wpscan.com/vulnerability/052f7d9a-aaff-4fb1-92b7-aeb83cc705a7mitre
- www.acunetix.com/vulnerabilities/web/wordpress-plugin-n-media-post-front-end-form-arbitrary-file-upload-1-0/mitre
- www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-front-end-file-upload-and-manager-plugin/mitre
- www.pluginvulnerabilities.com/2016/09/19/arbitrary-file-upload-vulnerability-in-n-media-post-front-end-form/mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/2c1e6298-f243-49a5-b1b7-52bd6a6c8858mitre
News mentions
0No linked articles in our index yet.