CVE-2026-8095
Received Received - Intake

Authenticated Arbitrary File Deletion in Frontend File Manager WordPress Plugin

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: Wordfence

Description
The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6. This is due to a case-sensitive bypass of the wpfm_dir_path parameter sanitization in the wpfm_file_meta_update AJAX handler, where supplying WPFM_DIR_PATH in uppercase evades the unset check and is normalized to wpfm_dir_path by sanitize_key() during update_post_meta(), allowing an attacker to overwrite the stored file path with an arbitrary filesystem path that is then passed directly to unlink() in delete_file_locally() without any directory containment validation. This makes it possible for authenticated attackers with Subscriber-level access to delete arbitrary files on the server, including sensitive files such as wp-config.php, potentially leading to full site takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-8095
EUVD
EUVD-2026-39968

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpfilemanager frontend_file_manager_plugin to 23.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Frontend File Manager Plugin for WordPress has a vulnerability in versions up to and including 23.6 that allows authenticated users to delete arbitrary files on the server. This happens because the plugin's parameter sanitization for file paths can be bypassed by using an uppercase version of the parameter name, which is then normalized and used without proper validation. As a result, an attacker with Subscriber-level access can overwrite the stored file path with any filesystem path, which is then deleted by the server.

Impact Analysis

This vulnerability can have severe impacts including the deletion of sensitive files on the server such as wp-config.php. This can lead to a full site takeover by an attacker, compromising the integrity and availability of the website and potentially exposing it to further attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart