CVE-2026-12277 PUBLISHED

Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal

Assigner: WPScan
Reserved: 15.06.2026 Published: 07.07.2026 Updated: 07.07.2026

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.

Product Status

Vendor Unknown
Product Frontend File Manager Plugin
Versions Default: unknown
  • affected from 0 to 23.6 (incl.)

Credits

  • Chamseddine Bouzaiene finder
  • WPScan coordinator

References

Problem Types

  • CWE-73 External Control of File Name or Path CWE