Frontend File Manager Plugin Insecure Direct Object Reference Vulnerability Allowing Arbitrary File Renaming

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Frontend File Manager Plugin for WordPress, affecting all versions through 23.4. The issue arises because the plugin fails to validate file ownership before processing file rename requests via the '/wpfm/v1/file-rename' REST API endpoint. This flaw enables authenticated attackers with Subscriber-level access and above to rename files uploaded by other users by manipulating the 'fileid' parameter.

Impact

Exploitation of this vulnerability allows authenticated users to rename files uploaded by other users, potentially leading to confusion or misuse of file management features.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the '/wpfm/v1/file-rename' REST API endpoint. The request must include the 'fileid' parameter, referencing a file uploaded by another user, and the 'filename' parameter, specifying the new name for the file. The absence of file ownership validation in the API endpoint will allow the request to be processed, renaming the targeted file.