CVE-2025-14804
Description
The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can delete arbitrary files on the server via a path validation flaw in Frontend File Manager plugin before 23.5.
Vulnerability
Overview
The Frontend File Manager Plugin for WordPress, versions before 23.5, contains a vulnerability that allows authenticated users to delete arbitrary files on the server. The plugin fails to validate a path parameter and does not verify file ownership, enabling any authenticated user, including those with subscriber-level access, to exploit this flaw [1].
Exploitation
An attacker needs only to be authenticated as a subscriber or higher to exploit this vulnerability. By manipulating the path parameter in a file deletion request, the attacker can target any file on the server, bypassing intended access controls [1].
Impact
Successful exploitation allows an attacker to delete arbitrary files, which could lead to data loss, service disruption, or further compromise of the WordPress site. The vulnerability is rated High with a CVSS v3 score of 7.7, indicating significant potential for damage.
Mitigation
The vulnerability has been fixed in version 23.5 of the plugin. Users are strongly advised to update to the latest version immediately. No workarounds are mentioned in the advisory [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.