WP-Safety

Frontend File Manager Plugin Security & Risk Analysis

wordpress.org/plugins/nmedia-user-file-uploader

N-Media Frontend File Manager plugin enables WordPress site users to upload, manage, and share files directly from the frontend with secure storage an …

1K active installs v23.6 PHP + WP 3.5+ Updated Jan 28, 2026
file-uploaderfile-uploadersfront-end-uploaduser-filesuser-files-manager
10
F · Critical Risk
CVEs total25
Unpatched3
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is Frontend File Manager Plugin Safe to Use in 2026?

Critical Risk — Avoid

Score 10/100

Frontend File Manager Plugin is critically unsafe with 25 known CVEs, 3 still unpatched. Avoid in production.

25 known CVEs 3 unpatched Last CVE: Feb 17, 2026Updated 2mo ago
Risk Assessment

The nmedia-user-file-uploader plugin presents a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization (100% prepared statements) and a relatively high percentage of output escaping (87%), several concerning factors emerge. The static analysis highlights a total of 6 entry points, with 1 being unprotected, posing a direct risk of unauthorized access or manipulation. Furthermore, the significant vulnerability history, with 25 known CVEs including 3 currently unpatched, is a major red flag. The prevalence of vulnerabilities such as Path Traversal, Authorization Bypass, and Unrestricted Uploads, coupled with the recent date of the last known vulnerability (even if in the future, suggesting a potential for ongoing discovery), indicates a pattern of recurring security weaknesses within the plugin. The plugin has a considerable attack surface and a history of critical vulnerabilities that have not always been adequately addressed, leading to a heightened risk profile.

Key Concerns

  • 3 unpatched CVEs
  • 1 unprotected entry point
  • 1 REST API route without permission callback
  • 12 file operations (potential for misuse)
  • Bundled Select2 library (potential for outdatedness)
  • 13% of outputs not properly escaped
Vulnerabilities
25

Frontend File Manager Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
1 CVE in 2015
2015
1 CVE in 2016
2016
8 CVEs in 2021
2021
4 CVEs in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
6 CVEs in 2025 · unpatched
2025
2 CVEs in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Critical
5
High
9
Medium
11

25 total CVEs

CVE-2026-0829medium · 5.3Missing Authorization

Frontend File Manager <= 23.5 - Missing Authorization

Feb 17, 2026Unpatched
CVE-2026-1280high · 7.5Missing Authorization

Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter

Jan 27, 2026Unpatched
CVE-2025-14804high · 8.1External Control of File Name or Path

Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion

Dec 17, 2025 Patched in 23.5 (28d)
CVE-2025-13382medium · 4.3Authorization Bypass Through User-Controlled Key

Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming

Nov 24, 2025 Patched in 23.5 (25d)
CVE-2025-64265medium · 4.3Missing Authorization

Frontend File Manager <= 23.2 - Missing Authorization

Oct 30, 2025 Patched in 23.3 (19d)
CVE-2025-57921medium · 5.3Missing Authorization

Frontend File Manager <= 23.2 - Missing Authorization

Sep 22, 2025 Patched in 23.4 (57d)
CVE-2023-7306high · 7.5Missing Authorization

Frontend File Manager <= 21.5 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Jul 24, 2025 Patched in 22.0 (13d)
CVE-2025-27358medium · 4.3Missing Authorization

Frontend File Manager <= 23.2 - Missing Authorization to Authenticated (Subscriber+) Content Injection

Jul 4, 2025Unpatched
CVE-2024-25903medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Frontend File Manager <= 22.7 - Sensitive Information Exposure via user uploads

Feb 12, 2024 Patched in 22.8 (3d)
CVE-2023-5105critical · 9.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Frontend File Manager Plugin <= 22.5 - Authenticated (Editor+) Directory Traversal

Nov 13, 2023 Patched in 22.6 (71d)
CVE-2022-3126high · 8.8Cross-Site Request Forgery (CSRF)

Frontend File Manager Plugin <= 21.2 - Cross-Site Request Forgery to File Upload

Sep 26, 2022 Patched in 21.3 (484d)
CVE-2022-3125high · 8.8Unrestricted Upload of File with Dangerous Type

Frontend File Manager <= 21.2 - Authenticated (Subscriber+) Arbitrary File Upload

Sep 7, 2022 Patched in 21.3 (503d)
CVE-2022-3124medium · 6.5Missing Authorization

Frontend File Manager <= 21.2 - Missing Authorization

Sep 7, 2022 Patched in 21.3 (997d)
WF-59b63a01-fd8b-4742-a52f-c0a7b59e9e04-nmedia-user-file-uploaderhigh · 8.8Cross-Site Request Forgery (CSRF)

Frontend File Manager <= 21.3 - Cross-Site Request Forgery to Plugin Settings Update

Sep 6, 2022 Patched in 21.4 (504d)
CVE-2021-4344medium · 6.4Improper Authorization

Frontend File Manager <= 18.2 - Privilege Escalation

Jul 12, 2021 Patched in 18.3 (925d)
CVE-2021-4350high · 7.2Missing Authorization

Frontend File Manager <= 18.2 - Unauthenticated HTML Injection leading to Spam Emails

Jul 12, 2021 Patched in 18.3 (925d)
CVE-2021-4351medium · 5.8Missing Authorization

Frontend File Manager <= 18.2 - Unauthenticated Post Meta Change

Jul 12, 2021 Patched in 18.3 (925d)
CVE-2021-4356critical · 9Missing Authorization

Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download

Jul 12, 2021 Patched in 18.3 (925d)
CVE-2021-4359medium · 6.5Missing Authorization

Frontend File Manager Plugin <= 18.2 - Unauthenticated Arbitrary Post Deletion

Jul 12, 2021 Patched in 18.3 (925d)
CVE-2021-4365high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Frontend File Manager <= 18.2 - Unauthenticated Stored Cross-Site Scripting

Jul 12, 2021 Patched in 18.3 (925d)
CVE-2021-4368critical · 9.9Missing Authorization

Frontend File Manager <= 18.2 - Authenticated Settings Change leading to Arbitrary File Upload

Jul 12, 2021 Patched in 18.3 (925d)
CVE-2021-4369medium · 5.8Missing Authorization

Frontend File Manager <= 18.2 - Unauthenticated Content Injection

Jul 12, 2021 Patched in 18.3 (925d)
CVE-2016-15042critical · 9.8Unrestricted Upload of File with Dangerous Type

Frontend File Manager < 4.0 & N-Media Post Front-end Form < 1.1 & - Arbitrary File Upload

Jul 16, 2016 Patched in 4.0 (3014d)
WF-f2ed5e51-8783-4b7f-9177-c116bf0fad44-nmedia-user-file-uploadercritical · 9.8Unrestricted Upload of File with Dangerous Type

Frontend File Manager <= 3.7 - Arbitrary File Upload

Jun 10, 2015 Patched in 3.8 (3149d)
CVE-2014-5324high · 8.8Unrestricted Upload of File with Dangerous Type

Frontend File Manager Plugin < 3.6 - Arbitrary File Upload

Sep 25, 2014 Patched in 3.6 (3407d)
Code Analysis
Analyzed Mar 16, 2026

Frontend File Manager Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
56
361 escaped
Nonce Checks
13
Capability Checks
4
File Operations
12
External Requests
1
Bundled Libraries
1

Bundled Libraries

Select2

Output Escaping

87% escaped417 total outputs
Data Flows
All sanitized

Data Flow Analysis

6 flows
wpfm_save_settings (inc\admin.php:9)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Frontend File Manager Plugin Attack Surface

Entry Points6
Unprotected1

AJAX Handlers 1

authwp_ajax_wpfm_submit_uninstall_reasoninc\deactivate.class.php:20

REST API Routes 1

POST/wp-json/wpfm/v1/file-renameinc\classes\class.rest.php:17

Shortcodes 4

[nm-wp-file-uploader] inc\classes\class.frontend.php:30
[ffmwp] inc\classes\class.frontend.php:31
[nm-wp-file-uploader-legacy] wp-file-manager.php:263
[wpfm] wp-file-manager.php:266
WordPress Hooks 31
filterffmwp_the_contextinc\classes\class.frontend.php:34
actionadmin_enqueue_scriptsinc\classes\class.meta.php:15
actionrest_api_initinc\classes\class.rest.php:11
actionadmin_enqueue_scriptsinc\deactivate.class.php:17
actionadmin_footerinc\deactivate.class.php:19
actionwp_enqueue_scriptsinc\inputs\input.date.php:31
actioninitwp-file-manager.php:65
actionbefore_delete_postwp-file-manager.php:76
actionadmin_menuwp-file-manager.php:80
filteradmin_urlwp-file-manager.php:82
actionadmin_menuwp-file-manager.php:84
filterquery_varswp-file-manager.php:87
actionadmin_enqueue_scriptswp-file-manager.php:90
actionsave_postwp-file-manager.php:97
actionwpfm_after_directory_post_savedwp-file-manager.php:100
actionwpfm_after_file_post_savewp-file-manager.php:101
actionwpfm_file_meta_savingwp-file-manager.php:102
actionwpfm_after_all_files_post_savewp-file-manager.php:103
actionwpfm_after_all_files_post_savewp-file-manager.php:104
filterwpfm_uploaded_filenamewp-file-manager.php:105
filtermanage_edit-wpfm-files_columnswp-file-manager.php:108
actionmanage_wpfm-files_posts_custom_columnwp-file-manager.php:109
filtermanage_edit-wpfm-files_sortable_columnswp-file-manager.php:110
filterwpfm_top_menuwp-file-manager.php:114
filterintermediate_image_sizes_advancedwp-file-manager.php:117
filterwpfm_wp_files_querywp-file-manager.php:124
actionadmin_footer-edit.phpwp-file-manager.php:128
filtertheme_page_templateswp-file-manager.php:131
filterpage_templatewp-file-manager.php:132
actionbefore_delete_postwp-file-manager.php:135
actionplugins_loadedwp-file-manager.php:284
Maintenance & Trust

Frontend File Manager Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 28, 2026
PHP min version
Downloads199K

Community Trust

Rating80/100
Number of ratings43
Active installs1K
Alternatives

Frontend File Manager Plugin Alternatives

MultiLine Files for Contact Form 7

MultiLine Files for Contact Form 7

multiline-files-for-contact-form-7

A
99

Upload unlimited files to Contact Form 7 with an intuitive interface, file management, and automatic ZIP compression for email delivery.

10K 1 CVE
Multi Uploader for Gravity Forms

Multi Uploader for Gravity Forms

gf-multi-uploader

A
88

Chunked Multiple file uploads, from images, videos to pdf. Files stored in WP Media Library.

30 2 CVEs
File Uploader – Tektonic Solutions

File Uploader – Tektonic Solutions

file-uploader-tektonic-solutions

A
85

Tektonic Solutions File Uploader plugin lets a logged-in end-user on your website upload files one at a time.

10 No CVEs
WP Editor Imgur Button

WP Editor Imgur Button

wp-editor-imgur-button

A
85

Insert button upload image to imgur.com using api and add to comment box

10 No CVEs
Developer Profile

Frontend File Manager Plugin Developer Profile

N-Media

23 plugins · 5K total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
588 days
View full developer profile
Detection Fingerprints

How We Detect Frontend File Manager Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/nmedia-user-file-uploader/assets/css/bootstrap.min.css/wp-content/plugins/nmedia-user-file-uploader/assets/css/font-awesome.min.css/wp-content/plugins/nmedia-user-file-uploader/assets/css/nmedia-admin-style.css/wp-content/plugins/nmedia-user-file-uploader/assets/css/wpfm-style.css/wp-content/plugins/nmedia-user-file-uploader/assets/js/bootstrap.min.js/wp-content/plugins/nmedia-user-file-uploader/assets/js/file-upload.js/wp-content/plugins/nmedia-user-file-uploader/assets/js/jquery.validate.min.js/wp-content/plugins/nmedia-user-file-uploader/assets/js/main.js+4 more
Script Paths
/wp-content/plugins/nmedia-user-file-uploader/assets/js/file-upload.js/wp-content/plugins/nmedia-user-file-uploader/assets/js/main.js/wp-content/plugins/nmedia-user-file-uploader/assets/js/uploader.js/wp-content/plugins/nmedia-user-file-uploader/assets/js/nm-admin-script.js/wp-content/plugins/nmedia-user-file-uploader/assets/js/script.js/wp-content/plugins/nmedia-user-file-uploader/assets/js/jquery.validate.min.js+2 more
Version Parameters
nmedia-user-file-uploader/assets/css/bootstrap.min.css?ver=nmedia-user-file-uploader/assets/css/font-awesome.min.css?ver=nmedia-user-file-uploader/assets/css/nmedia-admin-style.css?ver=nmedia-user-file-uploader/assets/css/wpfm-style.css?ver=nmedia-user-file-uploader/assets/js/bootstrap.min.js?ver=nmedia-user-file-uploader/assets/js/file-upload.js?ver=nmedia-user-file-uploader/assets/js/jquery.validate.min.js?ver=nmedia-user-file-uploader/assets/js/main.js?ver=nmedia-user-file-uploader/assets/js/nm-admin-script.js?ver=nmedia-user-file-uploader/assets/js/pdfobject.js?ver=nmedia-user-file-uploader/assets/js/script.js?ver=nmedia-user-file-uploader/assets/js/uploader.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpfm-upload-buttonwpfm-file-upload-formwpfm-upload-progress-barwpfm-file-manager-containernm-file-manager-tablewpfm-file-manager-header
HTML Comments
<!-- wpfm_add_file_manager --><!-- Start of New FrontEnd --><!-- End of New FrontEnd --><!-- nmedia admin script -->
Data Attributes
data-wpfm-upload-iddata-wpfm-file-pathdata-wpfm-upload-url
JS Globals
wpfm_settingsWPFM_FrontendNmediaFileManager
REST Endpoints
/wp-json/wpfm/v1/upload/wp-json/wpfm/v1/files/wp-json/wpfm/v1/delete
Shortcode Output
[wpfm_file_manager][wpfm_upload_form][wpfm_download_list]
FAQ

Frequently Asked Questions about Frontend File Manager Plugin