Volerion logoVolerion
Volerion logoVolerion

Frontend File Manager WordPress Plugin Arbitrary File Deletion Vulnerability

Vulnerability

A vulnerability exists in the Frontend File Manager WordPress plugin in versions prior to 23.5. The issue arises because the plugin fails to properly validate path parameters and file ownership. This flaw allows any authenticated user, including subscribers, to delete arbitrary files from the server.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of files on the server.

Reproduction

To reproduce this vulnerability, upload a .png file using the Frontend File Manager plugin's file-upload feature. After the file is uploaded, modify the filename parameter in the request to include a path-traversal payload that points to a sensitive file, such as a backup of the wp-config.php file. Once the file is uploaded, use the plugin's interface to delete the file, which will trigger the deletion of the targeted file via the injected payload.

Remediation

Users are advised to update the Frontend File Manager WordPress plugin to version 23.5 or later.

Added: Jan 7, 2026, 3:11 PM
Updated: Jan 7, 2026, 7:08 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
0.0
exploitability
6.8
remediation
7.7
relevance
1.9
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.