Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File Rename
Description
The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=23.6
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it in the admin interface."
Attack vector
An attacker with Subscriber-level access or above sends a crafted filename containing JavaScript payloads to the frontend file-rename endpoint. The plugin stores the malicious filename as post meta without sanitization or escaping. When an administrator views the File Manager listing in the admin dashboard, the payload executes in the administrator's browser session. [ref_id=1]
Affected code
The Frontend File Manager Plugin (through version 23.6) fails to sanitize or escape a filename submitted to the frontend file-rename endpoint. The unsanitized value is stored as post meta and later rendered back on the admin File Manager listing, allowing stored XSS. [ref_id=1]
What the fix does
The advisory states there is no known fix as of publication [ref_id=1]. The plugin author would need to add input sanitization and output escaping on the filename parameter both when storing it as post meta and when rendering it in the admin File Manager listing.
Preconditions
- authAttacker must have a WordPress account with Subscriber-level or higher privileges
- inputAn administrator must visit the admin File Manager listing page where the malicious filename is rendered
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/19f5dd94-b16c-4ad2-9586-d15ddecf9805/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.