CVE-2026-12277
Received Received - Intake

Frontend File Manager Plugin WordPress Arbitrary File Deletion

Vulnerability report for CVE-2026-12277, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: WPScan

Description

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
frontend_file_manager_plugin frontend_file_manager_plugin to 23.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can have severe impacts including unauthorized deletion of critical server files by unauthenticated users. Specifically, deleting the wp-config.php file forces the WordPress site into its setup routine, which attackers can use to gain full control over the site, resulting in a complete site takeover.

Mitigation Strategies

The vulnerability exists when guest upload mode is enabled in the Frontend File Manager Plugin up to version 23.6. Immediate mitigation steps include disabling guest upload mode to prevent unauthenticated users from deleting arbitrary files.

Since no fix is currently available, restricting access to the plugin or removing it temporarily can reduce risk.

Monitoring critical files such as wp-config.php for unexpected deletions or changes can help detect exploitation attempts.

Executive Summary

The Frontend File Manager Plugin for WordPress, up to version 23.6, has a vulnerability that allows unauthenticated users to delete arbitrary files on the server. This happens because the plugin does not properly validate file paths derived from user input before deleting files. When guest upload mode is enabled, attackers can exploit this flaw to delete critical files such as wp-config.php.

Deleting wp-config.php forces the WordPress site into its setup routine, which can be leveraged by attackers to take over the entire site.

Compliance Impact

The vulnerability allows unauthenticated users to delete arbitrary files on the server, including critical configuration files like wp-config.php. This can lead to a full site takeover, which represents a significant security misconfiguration.

Such a security flaw could impact compliance with common standards and regulations like GDPR and HIPAA, as these require adequate protection of data and system integrity to prevent unauthorized access or disruption.

However, the provided information does not explicitly mention the direct effects on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart