CVE-2026-8378 PUBLISHED

Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File Rename

Assigner: WPScan
Reserved: 12.05.2026 Published: 23.06.2026 Updated: 23.06.2026

The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.

Product Status

Vendor	Unknown
Product	Frontend File Manager Plugin
Versions	Default: unknown affected from 0 to 23.6 (incl.)

Credits

Mohamad Nour Almujarkesh finder
WPScan coordinator

References

https://wpscan.com/vulnerability/19f5dd94-b16c-4ad2-9586-d15ddecf9805/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE