Frontend File Manager Plugin <= 23.6 - Author+ Arbitrary Post Deletion
Summary
| CVE | CVE-2026-8380 |
|---|---|
| State | PUBLISHED |
| Assigner | WPScan |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-26 07:16:22 UTC |
| Updated | 2026-06-26 07:16:22 UTC |
| Description | The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugin WordPress plugin through 23.6's "Allow guest uploads" setting is enabled by an administrator, the same deletion primitive becomes reachable by unauthenticated users. |
Risk And Classification
Problem Types: CWE-73 External Control of File Name or Path
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Unknown | Frontend File Manager Plugin | affected 23.6 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wpscan.com/vulnerability/45fcbf74-45be-4cff-a81a-0fea903592a5 | [email protected] | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Tiago Ferreira (en)
CNA: WPScan (en)
There are currently no legacy QID mappings associated with this CVE.