CVE-2021-4365
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress sites using the Frontend File Manager plugin. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites running vulnerable plugin versions are affected.
💻 Affected Systems
- WordPress Frontend File Manager plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, deface pages, or redirect visitors to malicious sites, leading to complete site compromise and data theft.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect users to phishing pages, or display unwanted advertisements, compromising user trust and site integrity.
If Mitigated
With proper input validation and output encoding, script injection would be prevented, limiting impact to minor data display issues without code execution.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted AJAX requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 18.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Frontend File Manager' and click 'Update Now'. 4. Verify plugin version is 18.3 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the wpfm_edit_file_title_desc AJAX action to prevent exploitation.
Add to theme's functions.php: remove_action('wp_ajax_wpfm_edit_file_title_desc', 'wpfm_edit_file_title_desc');
Add to theme's functions.php: remove_action('wp_ajax_nopriv_wpfm_edit_file_title_desc', 'wpfm_edit_file_title_desc');
Disable plugin
linuxTemporarily deactivate the Frontend File Manager plugin until patched.
wp plugin deactivate nmedia-user-file-uploader
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Apply strict Content Security Policy (CSP) headers to prevent script execution from unauthorized sources.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Frontend File Manager'. If version is 18.2 or lower, the site is vulnerable.Check Version:
wp plugin get nmedia-user-file-uploader --field=versionVerify Fix Applied:
After updating, confirm plugin version shows 18.3 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=wpfm_edit_file_title_desc containing script tags or JavaScript code
- Multiple failed AJAX requests from unauthenticated users
Network Indicators:
- HTTP requests with malicious payloads in parameters targeting the vulnerable endpoint
- Unexpected script tags in page responses from the WordPress site
SIEM Query:
source="*access.log*" AND "admin-ajax.php" AND "wpfm_edit_file_title_desc" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2554359%40nmedia-user-file-uploader&new=2554359%40nmedia-user-file-uploader&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9c82154-d390-44ba-a54a-89f4bb69cdce?source=cve
- https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2554359%40nmedia-user-file-uploader&new=2554359%40nmedia-user-file-uploader&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9c82154-d390-44ba-a54a-89f4bb69cdce?source=cve
