Frontend File Manager Plugin
by WordPress
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-5337 | Med | 0.42 | 6.5 | 0.00 | May 3, 2026 | During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does… | ||
| CVE-2025-13382 | Med | 0.28 | 4.3 | 0.00 | Nov 25, 2025 | The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API… | ||
| CVE-2022-3124 | 0.01 | — | 0.06 | Oct 3, 2022 | The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the… | |||
| CVE-2026-8379 | 0.00 | — | 0.00 | Jun 23, 2026 | The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6… | |||
| CVE-2023-5105 | 0.00 | — | 0.01 | Dec 4, 2023 | The Frontend File Manager Plugin WordPress plugin before 22.6 has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php` | |||
| CVE-2022-3126 | 0.00 | — | 0.00 | Oct 17, 2022 | The Frontend File Manager Plugin WordPress plugin before 21.4 does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf | |||
| CVE-2022-3125 | 0.00 | — | 0.01 | Oct 3, 2022 | The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE | |||
| CVE-2022-2356 | 0.00 | — | 0.01 | Aug 8, 2022 | The Frontend File Manager & Sharing WordPress plugin before 1.1.3 does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded. |
- risk 0.42cvss 6.5epss 0.00
During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does…
- risk 0.28cvss 4.3epss 0.00
The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API…
- CVE-2022-3124Oct 3, 2022risk 0.01cvss —epss 0.06
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the…
- CVE-2026-8379Jun 23, 2026risk 0.00cvss —epss 0.00
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6…
- CVE-2023-5105Dec 4, 2023risk 0.00cvss —epss 0.01
The Frontend File Manager Plugin WordPress plugin before 22.6 has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php`
- CVE-2022-3126Oct 17, 2022risk 0.00cvss —epss 0.00
The Frontend File Manager Plugin WordPress plugin before 21.4 does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf
- CVE-2022-3125Oct 3, 2022risk 0.00cvss —epss 0.01
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE
- CVE-2022-2356Aug 8, 2022risk 0.00cvss —epss 0.01
The Frontend File Manager & Sharing WordPress plugin before 1.1.3 does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded.