{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1280", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-20T22:17:51.761Z", "datePublished": "2026-01-28T11:23:41.307Z", "dateUpdated": "2026-04-08T17:30:20.675Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:20.675Z"}, "affected": [{"vendor": "nmedia", "product": "Frontend File Manager Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "23.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only."}], "title": "Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98"}, {"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "timeline": [{"time": "2026-01-27T21:50:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T15:55:41.777784Z", "id": "CVE-2026-1280", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:56:06.302Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1280", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T15:55:41.777784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:55:49.124Z"}}], "cna": {"title": "Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Md. Moniruzzaman Prodhan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "nmedia", "product": "Frontend File Manager Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "23.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-27T21:50:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98"}, {"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98"}], "descriptions": [{"lang": "en", "value": "The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:20.675Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1280", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:20.675Z", "dateReserved": "2026-01-20T22:17:51.761Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T11:23:41.307Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only."}, {"lang": "es", "value": "El plugin Frontend File Manager para WordPress es vulnerable al uso compartido de archivos no autorizado debido a una comprobaci\u00f3n de capacidad faltante en la acci\u00f3n AJAX 'wpfm_send_file_in_email' en todas las versiones hasta la 23.5, inclusive. Esto permite a atacantes no autenticados compartir archivos subidos arbitrarios por correo electr\u00f3nico al proporcionar un ID de archivo. Dado que los ID de archivo son enteros secuenciales, los atacantes pueden enumerar todos los archivos subidos en el sitio y exfiltrar datos sensibles que estaban destinados a ser restringidos solo a los administradores."}], "id": "CVE-2026-1280", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T12:15:52.593", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:58:02.230502+00:00", "value": {"mitigation_remediation": ["Update the Frontend File Manager Plugin to the latest available version that includes the missing authorization check.", "If an upgrade is not immediately possible, restrict the use of the 'wpfm_send_file_in_email' feature to administrator roles by adjusting plugin settings or by blocking the AJAX action in the web server configuration.", "Review and audit all files uploaded to the site for sensitive content, and delete or secure any that should not be publicly accessible.", "Continue to keep WordPress core and all plugins up to date, and run regular security scans to detect unauthorized file sharing activity."], "summary": {"action": "Apply Patch", "impact": "Unauthorized file access and exfiltration"}, "threat_synthesis": {"affected_systems": "All installations of the Frontend File Manager Plugin by nmedia running WordPress, from the earliest release through version 23.5, are affected. This includes every site that has not upgraded beyond 23.5.", "description_and_impact": "The Frontend File Manager Plugin for WordPress lacks a capability check on the 'wpfm_send_file_in_email' AJAX action, allowing unauthenticated users to request file deliveries by specifying a file ID. Because the plugin assigns sequential integer IDs to uploaded files, an attacker can enumerate all files on the site and transfer any that were intended to be visible only to administrators. The weakness is a missing permission check, classified as CWE-862, and the resulting impact is the disclosure and potential exfiltration of sensitive data.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating high severity, but the EPSS score is less than 1% and it is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been observed. The attack requires only an unauthenticated HTTP request to the AJAX endpoint with a crafted 'file_id' parameter, making exploitation trivial for anyone who can send requests to the site. Once a file ID is known, the attacker can retrieve the file via email without further authentication, making the potential for data leakage significant, especially for confidential documents uploaded by administrators."}}}}, "created": "2026-01-29T09:18:09.917476+00:00", "updated": "2026-04-15T19:00:12.308999+00:00", "vendors": ["najeebmedia", "najeebmedia$PRODUCT$frontend_file_manager_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}