CVE-2021-4350 – The Frontend File Manager WordPress plugin up t... (How to Fix)

Q: What is the severity of CVE-2021-4350?

CVE-2021-4350 has a CVSS score of 7.2 (HIGH). The Frontend File Manager WordPress plugin up to version 18.2 allows unauthenticated attackers to send emails with custom HTML content using the site's email functionality. This enables attackers to use vulnerable WordPress sites as spam relays. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

The Frontend File Manager WordPress plugin up to version 18.2 allows unauthenticated attackers to send emails with custom HTML content using the site's email functionality. This enables attackers to use vulnerable WordPress sites as spam relays. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WordPress Frontend File Manager Plugin

Versions: Up to and including 18.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Frontend File Manager Plugin by Najeebmedia

View all CVEs affecting Frontend File Manager Plugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Site becomes spam relay, damaging reputation, getting blacklisted by email providers, and potentially enabling phishing campaigns.

🟠

Likely Case

Site used for spam email distribution, leading to email deliverability issues and reputation damage.

🟢

If Mitigated

Limited impact if email sending is restricted or monitored, but still represents unauthorized system use.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP POST requests to the vulnerable AJAX endpoint with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.3 or later

Vendor Advisory: https://wordpress.org/plugins/frontend-file-manager/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Frontend File Manager. 4. Click Update Now or manually update to version 18.3+. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Add code to WordPress theme functions.php to remove the vulnerable AJAX action

add_action('init', function() { remove_action('wp_ajax_nopriv_wpfm_send_file_in_email', 'wpfm_send_file_in_email'); });

Disable plugin

all

Temporarily disable the Frontend File Manager plugin until patched

🧯 If You Can't Patch

Implement web application firewall rules to block requests to wp-admin/admin-ajax.php with wpfm_send_file_in_email action
Monitor email sending logs for unusual activity and implement rate limiting on email functionality

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Frontend File Manager version. If version is 18.2 or lower, system is vulnerable.

Check Version:

wp plugin list --name=frontend-file-manager --field=version

Verify Fix Applied:

Verify plugin version is 18.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with action=wpfm_send_file_in_email
Spike in email sending from WordPress site

Network Indicators:

HTTP POST requests to admin-ajax.php with wpfm_send_file_in_email parameter from unauthenticated sources

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "wpfm_send_file_in_email"

📊 Metadata

CVE ID: CVE-2021-4350

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

CWE: CWE-862

Published: June 7, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-4350, you might also want to check these: