VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 27 known issues Latest disclosed Jun 27, 2026

Frontend File Manager Plugin Vulnerabilities

Review known vulnerability records for the WordPress plugin Frontend File Manager Plugin (`nmedia-user-file-uploader`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-8095, CVE-2026-5337 and CVE-2026-0829, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
27
High or Critical
14
Patch Coverage
100%
Last Updated
Jun 27, 2026
Related Security Guides

Use these guides while reviewing Frontend File Manager Plugin fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening
WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.
Plugin Security
WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.
Scanning
WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.
Patch Decision Workflow

How to prioritize Frontend File Manager Plugin remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records
27
1. Match the Package
Confirm the installed WordPress plugin slug is nmedia-user-file-uploader before acting on any CVE from this cluster.
2. Sort by Severity
Start with 14 high or critical records, then review medium and unrated findings with public references.
3. Check Patch Evidence
27 records include a patch path; verify compatibility before closing the finding.
4. Monitor Gaps
0 records still lack a listed fixed release, so keep this hub in the review queue.
High-Signal Remediation Targets
CVE-2021-4368 Critical
Remote Code Execution remediation for Frontend File Manager Plugin

Affected range: Versions before 18.3. Fixed version: 18.3.

CVE-2023-5105 Critical
Vulnerability remediation for Frontend File Manager Plugin

Affected range: Versions up to 22.5. Fixed version: 22.6.

CVE-2021-4356 Critical
Vulnerability remediation for Frontend File Manager Plugin

Affected range: Versions before 18.3. Fixed version: 18.3.

CVE-2022-3126 High
File Upload remediation for Frontend File Manager Plugin

Affected range: Versions up to 21.2. Fixed version: 21.3.

Priority CVE Quick Links

Fast paths into Frontend File Manager Plugin CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
25
Tracked CVE Issue Type Affected Versions Fixed Version CVSS
CVE-2021-4368
Frontend File Manager <= 18.2 - Authenticated Settings Change leading to Arbitrary F...
 Remote Code Execution Versions before 18.3 18.3 CVSS 9.9
CVE-2023-5105
Frontend File Manager Plugin <= 22.5 - Authenticated (Editor+) Directory Traversal
 Vulnerability Versions up to 22.5 22.6 CVSS 9.1
CVE-2021-4356
Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download
 Vulnerability Versions before 18.3 18.3 CVSS 9.0
CVE-2022-3126
Frontend File Manager Plugin <= 21.2 - Cross-Site Request Forgery to File Upload
 File Upload Versions up to 21.2 21.3 CVSS 8.8
CVE-2022-3125
Frontend File Manager <= 21.2 - Authenticated (Subscriber+) Arbitrary File Upload
 Remote Code Execution Versions up to 21.2 21.3 CVSS 8.8
CVE-2014-5324
Frontend File Manager Plugin < 3.6 - Arbitrary File Upload
 Remote Code Execution Versions before 3.6 3.6 CVSS 8.8
CVE-2026-8095
Frontend File Manager Plugin <= 23.6 - Authenticated (Subscriber+) Arbitrary File De...
 Vulnerability Versions up to 23.6 No patch listed CVSS 8.1
CVE-2025-14804
Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion
 Remote Code Execution Versions up to 23.4 23.5 CVSS 8.1
CVE-2021-4368 Critical 18.3
CVE-2021-4368 Frontend File Manager Plugin Remote Code Execution

Frontend File Manager <= 18.2 - Authenticated Settings Change leading to Arbitrary File Upload

CVE-2023-5105 Critical 22.6
CVE-2023-5105 Frontend File Manager Plugin Vulnerability

Frontend File Manager Plugin <= 22.5 - Authenticated (Editor+) Directory Traversal

CVE-2021-4356 Critical 18.3
CVE-2021-4356 Frontend File Manager Plugin Vulnerability

Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download

CVE-2022-3126 High 21.3
CVE-2022-3126 Frontend File Manager Plugin File Upload

Frontend File Manager Plugin <= 21.2 - Cross-Site Request Forgery to File Upload

CVE-2022-3125 High 21.3
CVE-2022-3125 Frontend File Manager Plugin Remote Code Execution

Frontend File Manager <= 21.2 - Authenticated (Subscriber+) Arbitrary File Upload

CVE-2014-5324 High 3.6
CVE-2014-5324 Frontend File Manager Plugin Remote Code Execution

Frontend File Manager Plugin < 3.6 - Arbitrary File Upload

CVE-2026-8095 High No patch listed
CVE-2026-8095 Frontend File Manager Plugin Vulnerability

Frontend File Manager Plugin <= 23.6 - Authenticated (Subscriber+) Arbitrary File Deletion

CVE-2025-14804 High 23.5
CVE-2025-14804 Frontend File Manager Plugin Remote Code Execution

Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for Frontend File Manager Plugin so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
27 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
4 critical and 10 high severity findings.
Recent CVEs
CVE-2026-8095, CVE-2026-5337 and CVE-2026-0829
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Frontend File Manager Plugin

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: No CVE-2026-8095
CVE-2026-8095: Frontend File Manager Plugin <= 23.6 - Authenticated (Subscriber+) Arbitrary File Deletion

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, where s...

Published
Jun 27, 2026
Patched Release
Not published
Affected Versions
Versions up to 23.6
Next Step
Open the full report for remediation notes and references.
Review CVE-2026-8095 fixed version details Open CVE Reference
Plugin Medium Patched: No CVE-2026-5337
CVE-2026-5337: Frontend File Manager <= 23.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Download Access

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.6 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access...

Published
Apr 11, 2026
Patched Release
Not published
Affected Versions
Versions up to 23.6
Next Step
Open the full report for remediation notes and references.
Review CVE-2026-5337 fixed version details Open CVE Reference
Plugin Medium Patched: No CVE-2026-0829
CVE-2026-0829: Frontend File Manager <= 23.5 - Missing Authorization

The Frontend File Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Feb 17, 2026
Patched Release
Not published
Affected Versions
Versions up to 23.5
Next Step
Open the full report for remediation notes and references.
Review CVE-2026-0829 fixed version details Open CVE Reference
Plugin High Patched: No CVE-2026-1280
CVE-2026-1280: Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter

The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbit...

Published
Jan 27, 2026
Patched Release
Not published
Affected Versions
Versions up to 23.5
Next Step
Open the full report for remediation notes and references.
Review CVE-2026-1280 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-25005
CVE-2026-25005: Frontend File Manager Plugin <= 23.5 - Unauthenticated Insecure Direct Object Reference

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.5 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized a...

Published
Jan 16, 2026
Patched Release
23.6
Affected Versions
Versions up to 23.5
Next Step
Update to 23.6 or newer if supported.
Review CVE-2026-25005 fixed version details Open CVE Reference
Plugin High Patched: Yes CVE-2025-14804
CVE-2025-14804: Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion

The Frontend File Manager Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 23.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delet...

Published
Dec 17, 2025
Patched Release
23.5
Affected Versions
Versions up to 23.4
Next Step
Update to 23.5 or newer if supported.
Review CVE-2025-14804 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-13382
CVE-2025-13382: Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming

The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpo...

Published
Nov 24, 2025
Patched Release
23.5
Affected Versions
Versions up to 23.4
Next Step
Update to 23.5 or newer if supported.
Review CVE-2025-13382 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-64265
CVE-2025-64265: Frontend File Manager <= 23.2 - Missing Authorization

The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 23.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to pe...

Published
Oct 30, 2025
Patched Release
23.3
Affected Versions
Versions up to 23.2
Next Step
Update to 23.3 or newer if supported.
Review CVE-2025-64265 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-57921
CVE-2025-57921: Frontend File Manager <= 23.2 - Missing Authorization

The Frontend File Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 23.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published
Sep 22, 2025
Patched Release
23.4
Affected Versions
Versions up to 23.2
Next Step
Update to 23.4 or newer if supported.
Review CVE-2025-57921 fixed version details Open CVE Reference
Plugin High Patched: Yes CVE-2023-7306
CVE-2023-7306: Frontend File Manager <= 21.5 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to dele...

Published
Jul 24, 2025
Patched Release
22.0
Affected Versions
Versions up to 21.5
Next Step
Update to 22.0 or newer if supported.
Review CVE-2023-7306 fixed version details Open CVE Reference
Plugin Medium Patched: No CVE-2025-27358
CVE-2025-27358: Frontend File Manager <= 23.2 - Missing Authorization to Authenticated (Subscriber+) Content Injection

The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 23.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to in...

Published
Jul 04, 2025
Patched Release
Not published
Affected Versions
Versions up to 23.2
Next Step
Open the full report for remediation notes and references.
Review CVE-2025-27358 fixed version details Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-25903
CVE-2024-25903: Frontend File Manager <= 22.7 - Sensitive Information Exposure via user uploads

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 22.7 via the user upload functionality. This makes it possible for unauthenticated attackers to access user-uploaded files.

Published
Feb 12, 2024
Patched Release
22.8
Affected Versions
Versions up to 22.7
Next Step
Update to 22.8 or newer if supported.
Review CVE-2024-25903 fixed version details Open CVE Reference