The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.

Project Subscriptions

Vendors Products
Frontend File Manager Plugin Subscribe
Frontend File Manager Plugin Subscribe
Wordpress Subscribe
Wordpress Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 07 Jul 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress

Tue, 07 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.
Title Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-07T06:00:01.546Z

Reserved: 2026-06-15T11:46:11.509Z

Link: CVE-2026-12277

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T07:30:03Z

Weaknesses

No weakness.