VYPR

Frontend File Manager Plugin

by WordPress

CVEs (8)

  • CVE-2026-5337MedMay 3, 2026
    risk 0.42cvss 6.5epss 0.00

    During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does…

  • CVE-2025-13382MedNov 25, 2025
    risk 0.28cvss 4.3epss 0.00

    The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API…

  • CVE-2022-3124Oct 3, 2022
    risk 0.01cvss epss 0.06

    The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the…

  • CVE-2026-8379Jun 23, 2026
    risk 0.00cvss epss 0.00

    The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6…

  • CVE-2023-5105Dec 4, 2023
    risk 0.00cvss epss 0.01

    The Frontend File Manager Plugin WordPress plugin before 22.6 has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php`

  • CVE-2022-3126Oct 17, 2022
    risk 0.00cvss epss 0.00

    The Frontend File Manager Plugin WordPress plugin before 21.4 does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf

  • CVE-2022-3125Oct 3, 2022
    risk 0.00cvss epss 0.01

    The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

  • CVE-2022-2356Aug 8, 2022
    risk 0.00cvss epss 0.01

    The Frontend File Manager & Sharing WordPress plugin before 1.1.3 does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded.