What the vulnerability does
01Description
The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter.
Explanation of Vulnerability in Simple Terms
02Summary
The Frontend File Manager Plugin for WordPress versions 23.4 and earlier contains an authorization flaw that allows authenticated users to modify files they should not have access to. An attacker with a low-privilege account can alter file contents through the plugin's interface. The vulnerability requires valid login credentials but no additional user interaction. Update to a version newer than 23.4.
What an attacker can do
03Attacker Capabilities
Modify files on the site through the plugin interface with a low-privilege account.
Potential impact on your site
04Site Impact
Authenticated users can alter site files beyond their intended permissions, risking content corruption or malicious modifications.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level privileges.
Key dates
06Disclosure timeline
November 25, 2025
CVE published
April 8, 2026
Record updated