← Back
2026-06-23 6:0CVE-2026-8379WPScan
PUBLISHED5.2

Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.

Problem type

  • CWE-639 Authorization Bypass Through User-Controlled Key

Affected products

Unknown

Frontend File Manager Plugin

<= 23.6 - AFFECTED

References

wpscan.com

https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/

exploitvdb-entrytechnical-description

GitHub Security Advisories

GHSA-9v4r-j6qw-wjw2

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its...

https://github.com/advisories/GHSA-9v4r-j6qw-wjw2

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-8379

wpscan.com

https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827

github.com

https://github.com/advisories/GHSA-9v4r-j6qw-wjw2

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-8379
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-8379",
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "dateUpdated": "2026-06-23T06:00:02.816Z",
    "dateReserved": "2026-05-12T08:47:44.253Z",
    "datePublished": "2026-06-23T06:00:02.816Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan",
        "dateUpdated": "2026-06-23T06:00:02.816Z"
      },
      "title": "Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers."
        }
      ],
      "affected": [
        {
          "vendor": "Unknown",
          "product": "Frontend File Manager Plugin",
          "defaultStatus": "unknown",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "23.6"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/",
          "tags": [
            "exploit",
            "vdb-entry",
            "technical-description"
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Alexander Jurkschat",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "WPScan",
          "type": "coordinator"
        }
      ]
    }
  }
}