{"api_version":"1","generated_at":"2026-06-26T01:21:52+00:00","cve":"CVE-2026-8379","urls":{"html":"https://cve.report/CVE-2026-8379","api":"https://cve.report/api/cve/CVE-2026-8379.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-8379","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-8379"},"summary":{"title":"Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download","description":"The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.","state":"PUBLISHED","assigner":"WPScan","published_at":"2026-06-23 07:16:21","updated_at":"2026-06-23 14:52:58"},"problem_types":["CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/","name":"https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/","refsource":"contact@wpscan.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-8379","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8379","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Unknown","product":"Frontend File Manager Plugin","version":"affected 23.6 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Alexander Jurkschat","lang":"en"},{"source":"CNA","value":"WPScan","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"8379","cve":"CVE-2026-8379","epss":"0.002400000","percentile":"0.149140000","score_date":"2026-06-25","updated_at":"2026-06-26 00:06:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-8379","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-23T13:23:49.153135Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-23T13:23:57.974Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unknown","product":"Frontend File Manager Plugin","vendor":"Unknown","versions":[{"lessThanOrEqual":"23.6","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Alexander Jurkschat"},{"lang":"en","type":"coordinator","value":"WPScan"}],"descriptions":[{"lang":"en","value":"The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers."}],"problemTypes":[{"descriptions":[{"description":"CWE-639 Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-23T06:00:02.816Z","orgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","shortName":"WPScan"},"references":[{"tags":["exploit","vdb-entry","technical-description"],"url":"https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/"}],"source":{"discovery":"EXTERNAL"},"title":"Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download","x_generator":{"engine":"WPScan CVE Generator"}}},"cveMetadata":{"assignerOrgId":"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81","assignerShortName":"WPScan","cveId":"CVE-2026-8379","datePublished":"2026-06-23T06:00:02.816Z","dateReserved":"2026-05-12T08:47:44.253Z","dateUpdated":"2026-06-23T13:23:57.974Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-23 07:16:21","lastModifiedDate":"2026-06-23 14:52:58","problem_types":["CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-23T13:23:49.153135Z","id":"CVE-2026-8379","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"8379","Ordinal":"1","Title":"Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary","CVE":"CVE-2026-8379","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"8379","Ordinal":"1","NoteData":"The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.","Type":"Description","Title":"Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary"}]}}}