CVE-2026-1280
Unknown Unknown - Not Provided
Unauthorized File Sharing in WordPress Frontend File Manager Plugin

Publication date: 2026-01-28

Last updated on: 2026-01-28

Assigner: Wordfence

Description
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1280
EUVD
EUVD-2026-4892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frontend_file_manager frontend_file_manager_plugin to 23.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Frontend File Manager Plugin for WordPress, where a missing capability check on the 'wpfm_send_file_in_email' AJAX action allows unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Because file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data intended only for administrators.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive files uploaded to the WordPress site. Attackers can enumerate and exfiltrate files by exploiting the missing capability check, potentially exposing confidential or restricted information to unauthorized parties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart