Home

Description

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.

PUBLISHED Reserved 2026-06-15 | Published 2026-07-07 | Updated 2026-07-07 | Assigner WPScan

Problem types

CWE-73 External Control of File Name or Path

Product status

Default status
unknown

Any version
affected

Credits

Chamseddine Bouzaiene finder

WPScan coordinator

References

wpscan.com/...rability/30f208f6-9d7b-4aaf-8689-496521d1a1dc/ exploit vdb-entry technical-description

cve.org (CVE-2026-12277)

nvd.nist.gov (CVE-2026-12277)

Download JSON