Executive Summary

The Frontend File Manager Plugin for WordPress, version 23.5 and earlier, contains a critical vulnerability (CVE-2026-0829) that allows unauthenticated users to send emails through the site without any security validation.

This flaw lets attackers use the WordPress site as an open mail relay to send spam or phishing emails to anyone.

Additionally, attackers can guess file IDs to access and share uploaded files without permission, potentially exposing sensitive information.

The vulnerability is due to broken access control (OWASP A5) and missing authorization (CWE-862).

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized POST requests to the WordPress admin AJAX endpoint that attempt to exploit the file sharing and email sending functionality.'}, {'type': 'list_item', 'content': 'Monitor for POST requests to `wp-admin/admin-ajax.php` with parameters `action=wpfm_send_file_in_email`, `file_id=<file_id>`, and `message=<message>`.'}, {'type': 'list_item', 'content': 'Look for JSON responses indicating success, such as `{"success":true,"data":"File is shared successfully"}`.'}, {'type': 'paragraph', 'content': 'A sample command to test or detect this vulnerability using curl could be:'}, {'type': 'list_item', 'content': 'curl -X POST https://yourwordpresssite.com/wp-admin/admin-ajax.php -d "action=wpfm_send_file_in_email&file_id=1&message=Test" -i'}, {'type': 'paragraph', 'content': 'If the response contains a success message, it indicates the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Currently, there is no known fix for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable AJAX endpoint and monitoring or blocking suspicious POST requests that attempt to exploit the vulnerability.'}, {'type': 'list_item', 'content': 'Implement firewall or web application firewall (WAF) rules to block or limit access to `wp-admin/admin-ajax.php` for unauthenticated users.'}, {'type': 'list_item', 'content': 'Disable or remove the Frontend File Manager Plugin if it is not essential.'}, {'type': 'list_item', 'content': "Monitor logs for unusual activity related to the plugin's email sending or file sharing features."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have several impacts:'}, {'type': 'list_item', 'content': "Attackers can use your WordPress site as an open mail relay to send spam or phishing emails, which can damage your site's reputation and lead to blacklisting by email providers."}, {'type': 'list_item', 'content': 'Unauthorized users can access and share uploaded files by guessing file IDs, potentially exposing sensitive or confidential information.'}, {'type': 'list_item', 'content': 'The exposure of sensitive data and misuse of your site for malicious email campaigns can lead to loss of trust from users and customers.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0