CVE-2021-4351 in Frontend File Manager Plugininfo

Summary

by MITRE • 06/07/2023

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Post Meta Change in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to change the meta data of certain posts and pages.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/09/2026

The Frontend File Manager plugin for WordPress represents a widely used tool that enables users to manage files through a frontend interface, providing functionality for uploading, organizing, and displaying media content on WordPress sites. This particular vulnerability affects versions up to and including 18.2, creating a significant security risk for WordPress installations that utilize this plugin. The vulnerability stems from inadequate security controls within the plugin's AJAX handling mechanism, specifically targeting the wpfm_file_meta_update action that processes file metadata changes. The flaw exists in the plugin's architecture where it fails to implement proper authentication checks, capability verification, and input sanitization before processing metadata update requests, making it susceptible to exploitation by unauthorized actors.

The technical nature of this vulnerability can be classified under CWE-863, which represents "Incorrect Authorization," as the plugin fails to verify that incoming requests originate from authenticated and authorized users. The vulnerability specifically affects the wpfm_file_meta_update AJAX endpoint where attackers can manipulate post metadata without proper authentication. This occurs because the plugin's code does not validate user credentials, does not check if the requesting user has appropriate permissions to modify the target post, and does not sanitize the input data before processing. The lack of these fundamental security controls creates an attack surface where any unauthenticated user can potentially modify metadata associated with posts and pages, which could lead to various downstream security implications including data integrity compromise and potential privilege escalation.

The operational impact of this vulnerability extends beyond simple metadata manipulation, as it can be leveraged to affect the overall integrity and security posture of WordPress installations. Attackers could exploit this weakness to alter file associations, modify post content metadata, or potentially manipulate the plugin's functionality to gain unauthorized access to sensitive information. The vulnerability's unauthenticated nature means that attackers do not require valid credentials to exploit the flaw, making it particularly dangerous as it can be exploited remotely without any prior access to the system. This type of vulnerability aligns with ATT&CK technique T1078.004, which covers valid accounts that are used for persistence or privilege escalation, as the ability to modify post metadata without authentication creates opportunities for attackers to establish persistent access or manipulate content in ways that could compromise the site's integrity.

Security mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the authentication and authorization flaws. System administrators must ensure that all WordPress installations utilizing the Frontend File Manager plugin are updated to the latest stable version that includes proper authentication checks and input sanitization. Additionally, implementing network-level protections such as firewall rules that restrict access to AJAX endpoints, monitoring for unusual metadata modification patterns, and conducting regular security audits of plugin installations can help detect and prevent exploitation attempts. The vulnerability also underscores the importance of following secure coding practices including input validation, authentication verification, and capability checks before processing user requests, which are fundamental requirements for maintaining application security and preventing similar issues in other software components.

Responsible

Wordfence

Reservation

06/06/2023

Disclosure

06/07/2023

Moderation

accepted

CPE

ready

EPSS

0.00684

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!