Frontend File Manager Plugin
Monthly
Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes every user-uploaded file to anonymous download via identifier enumeration. The plugin's file download handler fails to properly enforce WordPress nonce validation, stripping the only access control gate between unauthenticated HTTP requests and user-uploaded content. A public proof-of-concept is available via WPScan, and SSVC assessment confirms the attack is automatable - any script that iterates numeric file identifiers can bulk-harvest uploaded documents, images, or sensitive attachments without credentials. Not currently listed in CISA KEV.
Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. A publicly available proof-of-concept exists per WPScan, and no confirmed patched version is identified in available data, making this an unresolved risk for all sites running this plugin at or below version 23.6.
Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes every user-uploaded file to anonymous download via identifier enumeration. The plugin's file download handler fails to properly enforce WordPress nonce validation, stripping the only access control gate between unauthenticated HTTP requests and user-uploaded content. A public proof-of-concept is available via WPScan, and SSVC assessment confirms the attack is automatable - any script that iterates numeric file identifiers can bulk-harvest uploaded documents, images, or sensitive attachments without credentials. Not currently listed in CISA KEV.
Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. A publicly available proof-of-concept exists per WPScan, and no confirmed patched version is identified in available data, making this an unresolved risk for all sites running this plugin at or below version 23.6.