CVE-2021-4368
📋 TL;DR
The Frontend File Manager WordPress plugin up to version 18.2 has an authenticated settings change vulnerability. Subscriber-level attackers can modify plugin settings like allowed file types, potentially leading to remote code execution. This affects WordPress sites using vulnerable versions of the plugin.
💻 Affected Systems
- WordPress Frontend File Manager plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, malware distribution, or site defacement.
Likely Case
Attackers upload malicious files to execute code, install backdoors, or modify site functionality.
If Mitigated
Limited to subscriber account compromise if proper access controls and file upload restrictions are in place.
🎯 Exploit Status
Exploitation requires authenticated subscriber access. Public exploit details exist in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 18.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Frontend File Manager. 4. Click 'Update Now' if available. 5. Alternatively, download version 18.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the wpfm_save_settings AJAX action
Add to theme functions.php or custom plugin: remove_action('wp_ajax_wpfm_save_settings', 'wpfm_save_settings'); remove_action('wp_ajax_nopriv_wpfm_save_settings', 'wpfm_save_settings');
Temporarily disable plugin
linuxDeactivate Frontend File Manager plugin until patched
wp plugin deactivate nmedia-user-file-uploader
🧯 If You Can't Patch
- Restrict subscriber account creation and review existing subscriber accounts
- Implement web application firewall rules to block suspicious AJAX requests to wpfm_save_settings
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. Version 18.2 or lower is vulnerable.Check Version:
wp plugin get nmedia-user-file-uploader --field=versionVerify Fix Applied:
Confirm plugin version is 18.3 or higher. Test if subscriber accounts can modify plugin settings.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=wpfm_save_settings from subscriber accounts
- Unusual file uploads or settings changes in plugin logs
Network Indicators:
- AJAX requests to wpfm_save_settings endpoint from unauthorized IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "wpfm_save_settings"🔗 References
- https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2554359%40nmedia-user-file-uploader&new=2554359%40nmedia-user-file-uploader&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/adb1d8b0-b1d6-40df-b591-f1062ee744fb?source=cve
- https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiple-critical-vulnerabilities/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2554359%40nmedia-user-file-uploader&new=2554359%40nmedia-user-file-uploader&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/adb1d8b0-b1d6-40df-b591-f1062ee744fb?source=cve
