CVE-2021-4356
Summary
| CVE | CVE-2021-4356 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-06-07 02:15:00 UTC |
| Updated | 2023-11-07 03:40:00 UTC |
| Description | The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover. |
Risk And Classification
Problem Types: CWE-862
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Najeebmedia | Frontend File Manager Plugin | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WordPress Frontend File Manager plugin fixed multiple critical vulnerabilities. – NinTechNet | MISC | blog.nintechnet.com | |
| 403 Forbidden | MISC | plugins.trac.wordpress.org | |
| Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download | MISC | www.wordfence.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.