CVE-2026-8379 | THREATINT

Description

The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.

PUBLISHED Reserved 2026-05-12 | Published 2026-06-23 | Updated 2026-06-23 | Assigner WPScan

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unknown

Any version

affected

Credits

Alexander Jurkschat finder

WPScan coordinator

References

wpscan.com/...rability/71619406-19bb-437f-9538-fdf73de98827/ exploit vdb-entry technical-description

cve.org (CVE-2026-8379)

nvd.nist.gov (CVE-2026-8379)

Download JSON