CVE-2025-14804
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-07

Last updated on: 2026-01-08

Assigner: WPScan

Description
The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14804
EUVD
EUVD-2026-1227
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frontend_file_manager frontend_file_manager to 23.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14804 is a vulnerability in the Frontend File Manager WordPress plugin versions before 23.5. It occurs because the plugin does not properly validate a path parameter or verify file ownership. This flaw allows any authenticated user, including those with low-level roles like Subscribers, to delete arbitrary files on the server by exploiting a path traversal attack. Essentially, an attacker can manipulate file paths during upload and then delete critical files on the server that they should not have access to. [1]

Impact Analysis

This vulnerability can have serious impacts by allowing unauthorized deletion of arbitrary files on the server. An attacker with minimal privileges can delete important files, potentially causing data loss, service disruption, or compromising the integrity of the website or server. This could lead to downtime, loss of critical configuration files, or other operational issues. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusual file deletion activities initiated by authenticated users with low privileges, such as Subscribers. Specifically, you can look for deletion requests involving path traversal patterns (e.g., filenames containing '../'). Using web proxy tools like Burp Suite to intercept and analyze file upload and deletion requests can help identify if the filename parameter is being manipulated to include path traversal payloads. Additionally, reviewing server logs for deletion of critical files (e.g., wp-config.php.bak) by non-administrative users can indicate exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to update the Frontend File Manager WordPress plugin to version 23.5 or later, where the vulnerability is fixed. Until the update can be applied, restrict access to the file upload interface to trusted users only, and monitor for suspicious file deletion activities. Avoid allowing Subscriber or low-privilege users to access the page containing the [ffmwp] shortcode. Implement additional access controls or disable the plugin if necessary to prevent exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14804. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart