CVE-2026-0829

The Frontend File Manager Plugin for WordPress versions through 23.5 contains two critical security flaws. First, it allows unauthenticated users to send emails through the site without any security checks, effectively turning the WordPress installation into an open mail relay. Second, the plugin permits attackers to guess file IDs and access or share uploaded files without proper authorization.

Attackers can exploit the email relay to send spam or phishing emails from the site, bypassing typical email security controls. The file ID guessing attack requires no authentication and can expose sensitive uploaded documents. Both vulnerabilities stem from missing permission checks and predictable file identifiers.

The impact is twofold: the site can be abused for malicious email campaigns, damaging reputation and potentially leading to blacklisting; and confidential files uploaded by legitimate users can be accessed without consent, leading to data leaks.

As of the latest advisory, no fix has been released. Users of the plugin should consider disabling it or implementing additional security measures, such as web application firewalls, to mitigate the risks [1].