The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

Vendors Products
Frontend File Manager Plugin
  • Frontend File Manager Plugin
Wordpress
  • Wordpress

No data.

No data.

References
Link Providers
https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/ cve-icon
History

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 23 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-287

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress

Tue, 23 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-287

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.
Title Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download
References
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2026-06-23T06:00:02.816Z

Updated: 2026-06-23T13:23:57.974Z

Reserved: 2026-05-12T08:47:44.253Z

Link: CVE-2026-8379

cve-icon Vulnrichment

Updated: 2026-06-23T13:23:40.971Z

cve-icon NVD

No data.

cve-icon Redhat

No data.