CVE-2026-8379 PUBLISHED

Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download

Assigner: WPScan
Reserved: 12.05.2026 Published: 23.06.2026 Updated: 23.06.2026

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.

Product Status

Vendor	Unknown
Product	Frontend File Manager Plugin
Versions	Default: unknown affected from 0 to 23.6 (incl.)

Credits

Alexander Jurkschat finder
WPScan coordinator

References

https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/

Problem Types

CWE-639 Authorization Bypass Through User-Controlled Key CWE