Which Frontend File Manager Plugin CVEs are tracked?

Frontend File Manager Plugin tracked CVEs include CVE-2021-4368, CVE-2023-5105, CVE-2021-4356, CVE-2022-3126, and CVE-2022-3125.

How many Frontend File Manager Plugin vulnerabilities have patch guidance?

24 of 24 tracked Frontend File Manager Plugin records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 24 known issues Latest disclosed Feb 17, 2026

Frontend File Manager Plugin Vulnerabilities

Review known vulnerability records for the WordPress plugin Frontend File Manager Plugin (`nmedia-user-file-uploader`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-0829, CVE-2026-1280 and CVE-2025-14804, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Feb 24, 2026

Priority CVE Quick Links

Fast paths into Frontend File Manager Plugin CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2021-4368 Critical 18.3

CVE-2021-4368 Frontend File Manager Plugin Remote Code Execution

Frontend File Manager <= 18.2 - Authenticated Settings Change leading to Arbitrary File Upload

CVE-2023-5105 Critical 22.6

CVE-2023-5105 Frontend File Manager Plugin Vulnerability

Frontend File Manager Plugin <= 22.5 - Authenticated (Editor+) Directory Traversal

CVE-2021-4356 Critical 18.3

CVE-2021-4356 Frontend File Manager Plugin Vulnerability

Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download

CVE-2022-3126 High 21.3

CVE-2022-3126 Frontend File Manager Plugin File Upload

Frontend File Manager Plugin <= 21.2 - Cross-Site Request Forgery to File Upload

CVE-2022-3125 High 21.3

CVE-2022-3125 Frontend File Manager Plugin Remote Code Execution

Frontend File Manager <= 21.2 - Authenticated (Subscriber+) Arbitrary File Upload

CVE-2014-5324 High 3.6

CVE-2014-5324 Frontend File Manager Plugin Remote Code Execution

Frontend File Manager Plugin < 3.6 - Arbitrary File Upload

CVE-2025-14804 High 23.5

CVE-2025-14804 Frontend File Manager Plugin Remote Code Execution

Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion

CVE-2026-1280 High No patch listed

CVE-2026-1280 Frontend File Manager Plugin Vulnerability

Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Frontend File Manager Plugin so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

24 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

4 critical and 9 high severity findings.

Recent CVEs

CVE-2026-0829, CVE-2026-1280 and CVE-2025-14804

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-0829 Medium No patch listed

CVE-2026-0829: Frontend File Manager <= 23.5 - Missing Authorization

The Frontend File Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 23.5. This makes it poss...

Published

Feb 17, 2026

Patch Status

Not published

Open CVE-2026-0829 Report

CVE-2026-1280 High No patch listed

CVE-2026-1280: Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter

The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to...

Published

Jan 27, 2026

Patch Status

Not published

Open CVE-2026-1280 Report

CVE-2025-14804 High Patch path listed

CVE-2025-14804: Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion

The Frontend File Manager Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 23.4. This makes...

Published

Dec 17, 2025

Patch Status

23.5

Open CVE-2025-14804 Report

Known Vulnerabilities

Reports for Frontend File Manager Plugin

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: No CVE-2026-0829

CVE-2026-0829: Frontend File Manager <= 23.5 - Missing Authorization

The Frontend File Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published

Feb 17, 2026

Patched Release

Not published

Affected Versions

Versions up to 23.5

Next Step

Open the full report for remediation notes and references.

Open CVE-2026-0829 Report Open CVE Reference

Plugin High Patched: No CVE-2026-1280

CVE-2026-1280: Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter

The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbit...

Published

Jan 27, 2026

Patched Release

Not published

Affected Versions

Versions up to 23.5

Next Step

Open the full report for remediation notes and references.

Open CVE-2026-1280 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-14804

CVE-2025-14804: Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion

The Frontend File Manager Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 23.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delet...

Published

Dec 17, 2025

Patched Release

23.5

Affected Versions

Versions up to 23.4

Next Step

Update to 23.5 or newer if supported.

Open CVE-2025-14804 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-13382

CVE-2025-13382: Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming

The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpo...

Published

Nov 24, 2025

Patched Release

23.5

Affected Versions

Versions up to 23.4

Next Step

Update to 23.5 or newer if supported.

Open CVE-2025-13382 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-64265

CVE-2025-64265: Frontend File Manager <= 23.2 - Missing Authorization

The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 23.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to pe...

Published

Oct 30, 2025

Patched Release

23.3

Affected Versions

Versions up to 23.2

Next Step

Update to 23.3 or newer if supported.

Open CVE-2025-64265 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-57921

CVE-2025-57921: Frontend File Manager <= 23.2 - Missing Authorization

The Frontend File Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 23.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Published

Sep 22, 2025

Patched Release

23.4

Affected Versions

Versions up to 23.2

Next Step

Update to 23.4 or newer if supported.

Open CVE-2025-57921 Report Open CVE Reference

Plugin High Patched: Yes CVE-2023-7306

CVE-2023-7306: Frontend File Manager <= 21.5 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to dele...

Published

Jul 24, 2025

Patched Release

22.0

Affected Versions

Versions up to 21.5

Next Step

Update to 22.0 or newer if supported.

Open CVE-2023-7306 Report Open CVE Reference

Plugin Medium Patched: No CVE-2025-27358

CVE-2025-27358: Frontend File Manager <= 23.2 - Missing Authorization to Authenticated (Subscriber+) Content Injection

Published

Jul 04, 2025

Patched Release

Not published

Affected Versions

Versions up to 23.2

Next Step

Open the full report for remediation notes and references.

Open CVE-2025-27358 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-25903

CVE-2024-25903: Frontend File Manager <= 22.7 - Sensitive Information Exposure via user uploads

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 22.7 via the user upload functionality. This makes it possible for unauthenticated attackers to access user-uploaded files.

Published

Feb 12, 2024

Patched Release

22.8

Affected Versions

Versions up to 22.7

Next Step

Update to 22.8 or newer if supported.

Open CVE-2024-25903 Report Open CVE Reference

Plugin Critical Patched: Yes CVE-2023-5105

CVE-2023-5105: Frontend File Manager Plugin <= 22.5 - Authenticated (Editor+) Directory Traversal

The Frontend File Manager Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 22.5. This makes it possible for authenticated attackers, with editor access and above, to read the contents of arbitrary files on the server, which ca...

Published

Nov 13, 2023

Patched Release

22.6

Affected Versions

Versions up to 22.5

Next Step

Update to 22.6 or newer if supported.

Open CVE-2023-5105 Report Open CVE Reference

Plugin High Patched: Yes CVE-2022-3126

CVE-2022-3126: Frontend File Manager Plugin <= 21.2 - Cross-Site Request Forgery to File Upload

The "Frontend File Manager Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 21.2. This is due to missing or incorrect nonce validation on the wpfm_upload_file function. This makes it possible for unauthenticated attackers...

Published

Sep 26, 2022

Patched Release

21.3

Affected Versions

Versions up to 21.2

Next Step

Update to 21.3 or newer if supported.

Open CVE-2022-3126 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2022-3124

CVE-2022-3124: Frontend File Manager <= 21.2 - Missing Authorization

The Frontend File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check and lacking authentication in versions up to, and including, 21.2. This makes it possible for unauthenticated attackers to rename uploaded files on the site.

Published

Sep 07, 2022

Patched Release

21.3

Affected Versions

Versions up to 21.2

Next Step

Update to 21.3 or newer if supported.

Open CVE-2022-3124 Report Open CVE Reference