cleantalk
Vulnerabilities and Security Researches

Frontend File Manager Plugin, CVE-2026-1280

CVE, Research URL

CVE-2026-1280

Home page URL

Security reports for Frontend File Manager Plugin

Application

Frontend File Manager Plugin

Published on
Jan 28, 2026
Research Description
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
Affected versions
max 23.5.
Status
vulnerable
Previous vulnerability researches
Ultimate Multi Design Video Carousel (CVE-2025-9372) , Oct 11, 2025
New vulnerability
Hostel (CVE-2026-1838) , Apr 20, 2026
Content Blocks (Custom Post Widget) (CVE-2026-0894) , Apr 20, 2026
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress (CVE-2026-1559) , Apr 20, 2026
Frontend File Manager Plugin (CVE-2026-1280) , Apr 20, 2026
WooMS (CVE-2025-57957) , Apr 20, 2026