CVE-2026-1280
📋 TL;DR
This vulnerability in the Frontend File Manager WordPress plugin allows unauthenticated attackers to share any uploaded file via email by exploiting a missing capability check. Attackers can enumerate sequential file IDs to exfiltrate sensitive data intended only for administrators. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Frontend File Manager WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete data breach of all uploaded files including sensitive documents, credentials, and proprietary information stored via the plugin.
Likely Case
Exfiltration of sensitive user-uploaded files containing personal data, financial information, or confidential business documents.
If Mitigated
Limited exposure if no sensitive files were uploaded through the plugin or if files were stored with proper encryption.
🎯 Exploit Status
Simple HTTP POST request to vulnerable AJAX endpoint with file ID parameter. Attackers can brute-force sequential IDs to enumerate all files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Frontend File Manager' and click 'Update Now'. 4. Verify plugin version is 23.6 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allAdd capability check to prevent unauthorized access to wpfm_send_file_in_email action
Add 'if (!current_user_can('manage_options')) { wp_die(); }' before line 98 in inc/callback-functions.php
Deactivate plugin
linuxTemporarily disable the Frontend File Manager plugin
wp plugin deactivate nmedia-user-file-uploader
🧯 If You Can't Patch
- Implement web application firewall rules to block requests to /wp-admin/admin-ajax.php with action=wpfm_send_file_in_email from unauthenticated users
- Monitor and alert on unusual email sending activity or file enumeration attempts
🔍 How to Verify
Check if Vulnerable:
Check if plugin version is 23.5 or earlier in WordPress admin plugins page or via wp plugin list --field=version --name=nmedia-user-file-uploaderCheck Version:
wp plugin list --field=version --name=nmedia-user-file-uploaderVerify Fix Applied:
Confirm plugin version is 23.6+ and test that unauthenticated POST requests to admin-ajax.php with action=wpfm_send_file_in_email return proper authorization error📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=wpfm_send_file_in_email from same IP
- Failed authorization attempts for wpfm_send_file_in_email action
Network Indicators:
- Unusual email traffic from WordPress server
- Pattern of sequential file ID requests to AJAX endpoint
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "wpfm_send_file_in_email" AND NOT user="authenticated"🔗 References
- https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98
- https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve
