CVE-2026-0829
Unauthenticated Email Relay and File Disclosure in Frontend File Manager Plugin
Publication date: 2026-02-17
Last updated on: 2026-02-17
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frontend_file_manager | frontend_file_manager_plugin | to 23.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have several impacts:'}, {'type': 'list_item', 'content': "Attackers can use your WordPress site as an open mail relay to send spam or phishing emails, which can damage your site's reputation and lead to blacklisting by email providers."}, {'type': 'list_item', 'content': 'Unauthorized users can access and share uploaded files by guessing file IDs, potentially exposing sensitive or confidential information.'}, {'type': 'list_item', 'content': 'The exposure of sensitive data and misuse of your site for malicious email campaigns can lead to loss of trust from users and customers.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
The Frontend File Manager Plugin for WordPress, version 23.5 and earlier, contains a critical vulnerability (CVE-2026-0829) that allows unauthenticated users to send emails through the site without any security validation.
This flaw lets attackers use the WordPress site as an open mail relay to send spam or phishing emails to anyone.
Additionally, attackers can guess file IDs to access and share uploaded files without permission, potentially exposing sensitive information.
The vulnerability is due to broken access control (OWASP A5) and missing authorization (CWE-862).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for unauthorized POST requests to the WordPress admin AJAX endpoint that attempt to exploit the file sharing and email sending functionality.'}, {'type': 'list_item', 'content': 'Monitor for POST requests to `wp-admin/admin-ajax.php` with parameters `action=wpfm_send_file_in_email`, `file_id=<file_id>`, and `message=<message>`.'}, {'type': 'list_item', 'content': 'Look for JSON responses indicating success, such as `{"success":true,"data":"File is shared successfully"}`.'}, {'type': 'paragraph', 'content': 'A sample command to test or detect this vulnerability using curl could be:'}, {'type': 'list_item', 'content': 'curl -X POST https://yourwordpresssite.com/wp-admin/admin-ajax.php -d "action=wpfm_send_file_in_email&file_id=1&message=Test" -i'}, {'type': 'paragraph', 'content': 'If the response contains a success message, it indicates the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, there is no known fix for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable AJAX endpoint and monitoring or blocking suspicious POST requests that attempt to exploit the vulnerability.'}, {'type': 'list_item', 'content': 'Implement firewall or web application firewall (WAF) rules to block or limit access to `wp-admin/admin-ajax.php` for unauthenticated users.'}, {'type': 'list_item', 'content': 'Disable or remove the Frontend File Manager Plugin if it is not essential.'}, {'type': 'list_item', 'content': "Monitor logs for unusual activity related to the plugin's email sending or file sharing features."}] [1]