CVE-2021-4356
📋 TL;DR
The Frontend File Manager WordPress plugin allows unauthenticated attackers to download arbitrary files from vulnerable websites due to missing authentication, capability checks, and sanitization. This affects all WordPress sites running the plugin version 18.2 or earlier. Attackers can potentially access sensitive files like wp-config.php containing database credentials.
💻 Affected Systems
- WordPress Frontend File Manager plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover through database credential theft from wp-config.php, leading to defacement, malware injection, or data exfiltration.
Likely Case
Sensitive file disclosure including configuration files, user data, and backup files, potentially enabling further attacks.
If Mitigated
Limited impact if file permissions restrict sensitive files or if web server blocks access to critical directories.
🎯 Exploit Status
Simple HTTP request to vulnerable AJAX endpoint with file path parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Frontend File Manager' and click 'Update Now'. 4. Verify version is 18.3 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the wpfm_file_meta_update AJAX action
Add to theme's functions.php: remove_action('wp_ajax_wpfm_file_meta_update', 'wpfm_file_meta_update'); remove_action('wp_ajax_nopriv_wpfm_file_meta_update', 'wpfm_file_meta_update');
Deactivate plugin
linuxTemporarily disable the plugin until patched
wp plugin deactivate nmedia-user-file-uploader
🧯 If You Can't Patch
- Restrict file permissions to prevent reading sensitive files like wp-config.php
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for plugin version 18.2 or lower, or test with curl: curl -X POST 'https://example.com/wp-admin/admin-ajax.php' --data 'action=wpfm_file_meta_update&file=../../wp-config.php'Check Version:
wp plugin get nmedia-user-file-uploader --field=versionVerify Fix Applied:
Confirm plugin version is 18.3+ in WordPress admin, and the above curl command returns error or no sensitive data.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=wpfm_file_meta_update
- Unusual file download patterns from non-authenticated users
Network Indicators:
- HTTP POST requests containing 'wpfm_file_meta_update' in parameters
- Large outbound transfers of non-public files
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="*wpfm_file_meta_update*"🔗 References
- https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2554359%40nmedia-user-file-uploader&new=2554359%40nmedia-user-file-uploader&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79e2011c-5e4d-4d02-831f-6b4dcfcaa51e?source=cve
- https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2554359%40nmedia-user-file-uploader&new=2554359%40nmedia-user-file-uploader&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/79e2011c-5e4d-4d02-831f-6b4dcfcaa51e?source=cve
