cleantalk
Vulnerabilities and Security Researches

Frontend File Manager Plugin, CVE-2026-1280

CVE, Research URL

CVE-2026-1280

Home page URL

Security reports for Frontend File Manager Plugin

Application

Frontend File Manager Plugin

Published on
Jan 28, 2026
Research Description
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
Affected versions
max 23.5.
Status
vulnerable
Previous vulnerability researches
WP Dream Carousel (CVE-2024-13331) , Feb 06, 2025
jCarousel for WordPress (CVE-2024-54437) , Dec 19, 2024
WE – Client Logo Carousel (CVE-2024-51821) , Nov 12, 2024
Multi Post Carousel by Category (CVE-2026-1275) , Apr 13, 2026
Ultimate Multi Design Video Carousel (CVE-2025-9372) , Oct 11, 2025
New vulnerability
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress (CVE-2026-1559) , Apr 20, 2026
Frontend File Manager Plugin (CVE-2026-1280) , Apr 20, 2026
WooMS (CVE-2025-57957) , Apr 20, 2026
Simple User Registration (CVE-2026-0844) , Apr 20, 2026
Kubio AI Page Builder (CVE-2026-5427) , Apr 20, 2026