Share
## https://sploitus.com/exploit?id=91BD22BB-D989-5A87-A4B3-4725E4F27536
# CVE-2026-12277

**Frontend File Manager Plugin (WordPress) 
```

Or in localized JavaScript:
```javascript
var wpfm_vars = {"wpfm_ajax_nonce":"abc123def4"};
```

## Path Bypass Technique

The code does `unset($_REQUEST['wpfm_dir_path'])` to prevent direct overwrite. The bypass:

1. **Query string injection**: Send `wpfm_dir_path` via URL query parameter while other data goes via POST body. PHP's `$_REQUEST` merging behavior allows the value to persist depending on `request_order` config.

2. **Pre-set during upload flow**: The `wpfm_dir_path` meta is set during the initial file upload hooks. If exploited at that stage, no bypass needed.

## Tested Environment

| Component | Version |
|-----------|---------|
| WordPress | 6.9.4 |
| PHP | 8.2.12 |
| Plugin | Frontend File Manager 23.6 |
| OS | Windows (XAMPP) / Linux |
| Result | **Full takeover confirmed** |

## Vulnerable Code References

### Nonce Disabled (`inc/files.php:769-771`)
```php
/*if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
    wp_send_json_error(__("Sorry, this request cannot be completed contact admin", "wpfm"));
}*/
```

### Arbitrary Meta Write (`inc/files.php:787-795`)
```php
$meta_fields = $_REQUEST;
foreach ($meta_fields as $meta_key => $meta_value) {
    update_post_meta( $file_id, sanitize_key($meta_key), sanitize_text_field($meta_value));
}
```

### Authorization Bypass (`inc/files.php:690-693`)
```php
$allow_guest = wpfm_get_option('_allow_guest_upload') == 'yes' ? true : false;
if( !$allow_guest && ! wpfm_is_current_user_post_author($_POST['file_id'] )) {
    wp_send_json_error(__("Sorry, not allowed", "wpfm"));
}
// When guest upload ON โ†’ !$allow_guest = false โ†’ entire check SKIPPED
```

### Unvalidated Deletion (`inc/file.class.php:729-753`)
```php
function delete_file_locally() {
    $file_path = $this->path;  // from wpfm_dir_path meta - NO VALIDATION
    if (file_exists($file_path)) {
        unlink($file_path);    // ARBITRARY FILE DELETION
    }
}
```

### Path Resolution (`inc/file.class.php:172-184`)
```php
function path() {
    $file_dir_path = null;
    if( ! $file_dir_path = $this->get_meta('wpfm_dir_path') ) {
        $file_dir_path = $this->legacy->path();  // fallback: upload_dir + wpfm_file_name
    }
    if( ! is_file($file_dir_path) ) {
        $file_dir_path = null;
    }
    return $file_dir_path;  // NO canonicalization, NO realpath check
}
```

## Remediation

- Uncomment nonce verification in `wpfm_file_meta_update`
- Validate `wpfm_dir_path` against upload directory using `realpath()` + prefix check
- Never allow user-controlled input in file deletion paths
- Add proper authorization checks independent of guest upload setting

## Disclaimer

This tool is provided for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain written permission before testing.