CVE-2026-8095 in Frontend File Manager Plugin
Summary
by MITRE • 06/28/2026
The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, where supplying WPFM_DIR_PATH in uppercase evades the unset check and is normalized to wpfm_dir_path by sanitize_key() during update_post_meta(), allowing an attacker to overwrite the stored file path with an arbitrary filesystem path that is then passed directly to unlink() in delete_file_locally() without any directory containment validation. This makes it possible for authenticated attackers with Subscriber-level access to delete arbitrary files on the server, including sensitive files such as wp-config.php, potentially leading to full site takeover.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/28/2026
The Frontend File Manager Plugin for WordPress presents a critical security vulnerability classified as authenticated arbitrary file deletion affecting versions up to and including 23.6. This flaw resides within the plugin's AJAX handler implementation and stems from insufficient input sanitization mechanisms that fail to properly validate user-supplied directory paths. The vulnerability specifically targets the wpfm_file_meta_update function where the wpfm_dir_path parameter undergoes inadequate validation before being processed. Attackers can exploit this weakness by crafting malicious requests that utilize uppercase WPFM_DIR_PATH instead of the expected lowercase wpfm_dir_path, thereby bypassing the intended unset check mechanism that was designed to prevent unauthorized path manipulation.
The technical exploitation occurs through a combination of parameter normalization and path handling flaws within WordPress's meta data update system. When an attacker supplies the uppercase parameter, it successfully evades the initial validation check but gets normalized to lowercase by sanitize_key() function during the update_post_meta() process. This normalization process creates a dangerous condition where the stored file path metadata becomes overwritten with arbitrary filesystem paths that were never properly validated against directory containment rules. The vulnerability leverages WordPress's core functionality while introducing an unexpected behavior that allows attackers to manipulate the intended file system operations.
The operational impact of this vulnerability extends beyond simple file deletion capabilities and represents a significant threat to overall system security. An authenticated attacker with Subscriber-level privileges can leverage this weakness to remove critical system files including wp-config.php, which contains database credentials and other sensitive configuration data. The consequences of such an attack include complete site compromise, data loss, and potential lateral movement within the hosting environment. The vulnerability essentially provides attackers with a direct path to execute arbitrary file deletion operations on the server, bypassing normal file system access controls that would typically prevent such actions.
This vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and represents a classic case of insecure direct object reference where user input directly influences file system operations without proper containment validation. The attack pattern corresponds to techniques described in the MITRE ATT&CK framework under T1059 (Command and Scripting Interpreter) and T1486 (Data Encrypted for Ransom), as successful exploitation can lead to complete system compromise. Organizations using this plugin should immediately implement mitigations including plugin updates, role-based access controls, and monitoring of suspicious file deletion activities. The vulnerability demonstrates the critical importance of proper input validation and the potential consequences when sanitization mechanisms are bypassed through case-sensitive parameter handling.