CVE-2026-1280
Unauthorized File Sharing in WordPress Frontend File Manager Plugin
Publication date: 2026-01-28
Last updated on: 2026-01-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frontend_file_manager | frontend_file_manager_plugin | to 23.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Frontend File Manager Plugin for WordPress, where a missing capability check on the 'wpfm_send_file_in_email' AJAX action allows unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Because file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data intended only for administrators.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive files uploaded to the WordPress site. Attackers can enumerate and exfiltrate files by exploiting the missing capability check, potentially exposing confidential or restricted information to unauthorized parties.