Executive Summary

CVE-2026-5337 is a vulnerability in the Frontend File Manager Plugin for WordPress (version 23.6 or below) that allows authenticated users with Subscriber-level access or higher to perform an Insecure Direct Object Reference (IDOR) attack.

The issue occurs because the plugin does not properly validate whether a user is authorized to access a requested uploaded file when processing download requests. By modifying the 'file_id' parameter in the download URL, an attacker can access files belonging to other users, including administrators.

This leads to unauthorized access and reading of sensitive data stored within the application.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive data because attackers with low privileges can access files uploaded by other users, including privileged administrators.

Such unauthorized access can compromise confidentiality and potentially expose sensitive or confidential information stored within the application.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the download endpoint of the Frontend File Manager Plugin for improper authorization checks. Specifically, you can attempt to modify the 'file_id' parameter in the download URL to see if files belonging to other users, including administrators, can be accessed without proper permissions.

For example, you can use curl or similar HTTP clients to send requests with different 'file_id' values to the download endpoint and observe if unauthorized files are accessible.

• curl -i "http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1"
• Modify the 'file_id' parameter to other values (e.g., 41, 42, etc.) to test if files from other users can be accessed.

If files not belonging to the authenticated user are accessible, this indicates the presence of the IDOR vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the download endpoint to only trusted users and monitoring for suspicious activity involving manipulation of the 'file_id' parameter.

Since no known fix is currently available, consider the following actions:

• Limit plugin usage to trusted users with higher privileges only.
• Implement additional access controls at the web server or application firewall level to block unauthorized attempts to access files via manipulated 'file_id' parameters.
• Monitor logs for unusual download requests that include modified 'file_id' values.

Plan to update or patch the plugin once a fix becomes available.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized access to sensitive data stored within the application by exploiting an Insecure Direct Object Reference (IDOR) flaw. Such unauthorized disclosure of sensitive information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive data.

Specifically, the failure to properly validate user authorization and the resulting exposure of files belonging to other users, including privileged administrators, increases the risk of data breaches. This undermines the confidentiality and integrity requirements set forth by these standards.

Useful 0 Not Useful 0