CVE-2026-8380 in Frontend File Manager Plugininfo

Summary

by MITRE • 06/26/2026

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugin WordPress plugin through 23.6's "Allow guest uploads" setting is enabled by an administrator, the same deletion primitive becomes reachable by unauthenticated users.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

WPScan

Reservation

05/12/2026

Disclosure

06/26/2026

Moderation

accepted

Entry

VDB-374125

CPE

ready

CWE

CWE-73 (confirmed)

CVSS

7.3 (VulDB)

EPSS

0.00000

KEV

Activities

low

Sector

Hostingprovider

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-8380
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-8380
CVE Details	https://www.cvedetails.com/cve/CVE-2026-8380/

◂ Previous Overview Next ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!