EUVD-2026-38420
GHSA-9v4r-j6qw-wjw2
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-accessible, no authentication, no user interaction required; impact limited to confidentiality via file disclosure with no integrity or availability consequence.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.
AnalysisAI
Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes every user-uploaded file to anonymous download via identifier enumeration. The plugin's file download handler fails to properly enforce WordPress nonce validation, stripping the only access control gate between unauthenticated HTTP requests and user-uploaded content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Frontend File Manager Plugin must be installed and activated on the WordPress site - it is not a core WordPress component, so only sites that have explicitly installed it are vulnerable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) correctly reflects an unauthenticated, low-complexity, network-accessible confidentiality breach - the vector is internally consistent with the described behavior. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a series of unauthenticated HTTP GET or POST requests to the plugin's file download endpoint (e.g., wp-admin/admin-post.php or wp-ajax) incrementing a numeric file ID parameter from 1 upward, omitting or supplying an invalid nonce value. Because the nonce check is not properly enforced, the server returns each file's contents directly, allowing the attacker to bulk-download all user-uploaded files - such as scanned ID documents, contracts, or medical records - in minutes using a simple loop script. … |
| Remediation | No specific patched version number is confirmed in the available data; the WPScan advisory at https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/ should be consulted for the current fix version as the WordPress plugin repository may have issued a patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Deactivate the Frontend File Manager Plugin immediately on all WordPress installations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today