[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKca3pvxOwDWsBBxchSKSAaqPSgdgU1NtEtHZC1pbVIY":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":27,"vuln_count":28,"unpatched_count":29,"last_vuln_date":30,"fetched_at":31,"vulnerabilities":32,"developer":315,"crawl_stats":38,"alternatives":323,"analysis":408,"fingerprints":796},"nmedia-user-file-uploader","Frontend File Manager Plugin","23.6","N-Media","https:\u002F\u002Fprofiles.wordpress.org\u002Fnmedia\u002F","\u003Cp>N-Media Frontend File Manager empowers WordPress users to securely upload files that are accessible only to admins. Each user’s files are stored in a private directory, ensuring only they can download or delete their own files after logging in. To unlock even more advanced control, explore the PRO features below. Use the following shortcode to integrate the plugin on your site: \u003Cstrong>[ffmwp]\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Enhancements (v23.6)\u003C\u002Fstrong>\u003Cbr \u002F>\n– Fixed critical email relay vulnerability\u003Cbr \u002F>\n– Enhanced nonce verification across all AJAX functions\u003Cbr \u002F>\n– Added rate limiting for uploads, deletions, and directory creation\u003Cbr \u002F>\n– Improved file type validation and MIME checking\u003Cbr \u002F>\n– Strengthened authorization checks\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Live Demo Instructions\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Ca href=\"https:\u002F\u002Fnajeebmedia.com\u002Ffilemanager-demo\" rel=\"nofollow ugc\">Click here\u003C\u002Fa> to launch the demo.\u003Cbr \u002F>\n– Once live, go to \u003Cstrong>Settings > NM Demo\u003C\u002Fstrong>.\u003Cbr \u002F>\n– Click \u003Cstrong>Initialize Demo: File Manager\u003C\u002Fstrong> to set up demo pages.\u003Cbr \u002F>\n– Start exploring the plugin’s features!\u003C\u002Fp>\n\u003Ch3>Quick Video Overview\u003C\u002Fh3>\n\u003Cdiv class=\"embed-vimeo\" style=\"text-align: center;\">\u003Ciframe loading=\"lazy\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F285132267\" width=\"750\" height=\"422\" frameborder=\"0\" webkitallowfullscreen mozallowfullscreen allowfullscreen>\u003C\u002Fiframe>\u003C\u002Fdiv>\n\u003Ch3>Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Secure File Uploading\u003C\u002Fstrong>: Protect files with secure upload and storage.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User-Friendly UI\u003C\u002Fstrong>: Fast, responsive, and visually appealing interface.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Smart Search & Sorting Filters\u003C\u002Fstrong>: Easily locate files with search and filter options.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed File Popups\u003C\u002Fstrong>: View file information at a glance.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Customizable File Type & Size Limits\u003C\u002Fstrong>: Set specific upload restrictions.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom Labels for Buttons\u003C\u002Fstrong>: Personalize the upload and save buttons.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Real-Time Upload Progress Bar\u003C\u002Fstrong>: Track upload progress visually.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Image Thumbnails\u003C\u002Fstrong>: See previews for image files.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Detailed Admin View\u003C\u002Fstrong>: Manage and view file details in the admin dashboard.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Pro Features\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>\u003Cstrong>Directory Creation\u003C\u002Fstrong>: Users can create custom directories.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Maximum File Upload Control\u003C\u002Fstrong>: Set individual file upload limits.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Count Per User\u003C\u002Fstrong>: Limit the number of files each user can upload.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Role-Based File Size Quota\u003C\u002Fstrong>: Define upload quotas based on user roles.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email Notifications\u003C\u002Fstrong>: Configure alerts for file uploads.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automated Filename Prefixes\u003C\u002Fstrong>: Use timestamp prefixes for file organization.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Guest Uploads\u003C\u002Fstrong>: Allow guest users to upload files.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Sharing\u003C\u002Fstrong>: Enable users to share files via email.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>File Grouping\u003C\u002Fstrong>: Organize files into groups for easy access.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Unlimited Download Areas\u003C\u002Fstrong>: Create multiple download sections.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Custom File Metadata\u003C\u002Fstrong>: Attach custom fields to files, adding valuable context.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Visual Composer Compatibility\u003C\u002Fstrong>: Easily integrate with Visual Composer.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Download Areas\u003C\u002Fh3>\n\u003Cp>The Download Manager feature lets you create unlimited download pages and specify file sources based on user roles, specific users, or groups. Grant access selectively to individual users or entire roles.\u003Cbr \u002F>\n\u003Cdiv class=\"embed-vimeo\" style=\"text-align: center;\">\u003Ciframe loading=\"lazy\" src=\"https:\u002F\u002Fplayer.vimeo.com\u002Fvideo\u002F287895466\" width=\"750\" height=\"422\" frameborder=\"0\" webkitallowfullscreen mozallowfullscreen allowfullscreen>\u003C\u002Fiframe>\u003C\u002Fdiv>\u003C\u002Fp>\n\u003Ch3>Custom File Metadata\u003C\u002Fh3>\n\u003Cp>Admin can create custom metadata fields for files, adding extra detail to each upload. Metadata fields are easy to set up using drag-and-drop functionality and can include:\u003Cbr \u002F>\n– \u003Cstrong>Text\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Textarea\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Select\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Checkbox\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Masked Format (customized)\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Email\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Date Picker\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Image Upload\u003C\u002Fstrong>\u003Cbr \u002F>\n– \u003Cstrong>Checkbox\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>\u003Ca href=\"https:\u002F\u002Fnajeebmedia.com\u002Fwordpress-plugin\u002Fwp-front-end-file-upload-and-download-manager\u002F\" rel=\"nofollow ugc\">Get the Pro Version\u003C\u002Fa>\u003C\u002Fstrong> to unlock advanced features for a comprehensive file management experience.\u003C\u002Fp>\n","N-Media Frontend File Manager plugin enables WordPress site users to upload, manage, and share files directly from the frontend with secure storage an …",1000,198767,80,43,"2026-01-28T04:42:00.000Z","6.9.4","3.5","",[20,21,22,23,24],"file-uploader","file-uploaders","front-end-upload","user-files","user-files-manager","https:\u002F\u002Fnajeebmedia.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnmedia-user-file-uploader.23.6.zip",10,25,3,"2026-02-17 00:00:00","2026-03-15T15:16:48.613Z",[33,47,59,74,86,98,108,121,130,143,159,173,184,195,206,220,229,238,247,254,263,272,279,293,304],{"id":34,"url_slug":35,"title":36,"description":37,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":38,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":30,"updated_date":44,"references":45,"days_to_patch":38},"CVE-2026-0829","frontend-file-manager-missing-authorization","Frontend File Manager \u003C= 23.5 - Missing Authorization","The Frontend File Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.",null,"\u003C=23.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-24 17:28:22",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4cbc0dd4-4dea-4890-95d0-9531a669b95d?source=api-prod",{"id":48,"url_slug":49,"title":50,"description":51,"plugin_slug":4,"theme_slug":38,"affected_versions":39,"patched_in_version":38,"severity":52,"cvss_score":53,"cvss_vector":54,"vuln_type":43,"published_date":55,"updated_date":56,"references":57,"days_to_patch":38},"CVE-2026-1280","frontend-file-manager-plugin-missing-authorization-to-unauthenticated-arbitrary-file-sharing-via-fileid-parameter","Frontend File Manager Plugin \u003C= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter","The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","2026-01-27 21:50:20","2026-01-28 11:23:44",[58],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe739e7d3-756a-4c93-9ca7-f7b9f9657033?source=api-prod",{"id":60,"url_slug":61,"title":62,"description":63,"plugin_slug":4,"theme_slug":38,"affected_versions":64,"patched_in_version":65,"severity":52,"cvss_score":66,"cvss_vector":67,"vuln_type":68,"published_date":69,"updated_date":70,"references":71,"days_to_patch":73},"CVE-2025-14804","frontend-file-manager-authenticated-subscriber-arbitrary-file-deletion","Frontend File Manager \u003C= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion","The Frontend File Manager Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 23.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).","\u003C=23.4","23.5",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","External Control of File Name or Path","2025-12-17 00:00:00","2026-01-13 21:51:21",[72],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9615ef3f-e1e3-4791-a5a5-19260fee6354?source=api-prod",28,{"id":75,"url_slug":76,"title":77,"description":78,"plugin_slug":4,"theme_slug":38,"affected_versions":64,"patched_in_version":65,"severity":40,"cvss_score":79,"cvss_vector":80,"vuln_type":81,"published_date":82,"updated_date":83,"references":84,"days_to_patch":28},"CVE-2025-13382","frontend-file-manager-plugin-insecure-direct-object-reference-to-authenticated-subscriber-arbitrary-file-renaming","Frontend File Manager Plugin \u003C= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming","The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '\u002Fwpfm\u002Fv1\u002Ffile-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter.",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2025-11-24 19:15:11","2025-12-19 14:32:08",[85],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faa8d5feb-2ae9-44b8-90b5-9fc67226855a?source=api-prod",{"id":87,"url_slug":88,"title":89,"description":90,"plugin_slug":4,"theme_slug":38,"affected_versions":91,"patched_in_version":92,"severity":40,"cvss_score":79,"cvss_vector":80,"vuln_type":43,"published_date":93,"updated_date":94,"references":95,"days_to_patch":97},"CVE-2025-64265","frontend-file-manager-missing-authorization-4","Frontend File Manager \u003C= 23.2 - Missing Authorization","The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 23.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","\u003C=23.2","23.3","2025-10-30 00:00:00","2025-11-17 19:04:24",[96],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff8f372cb-739f-44e2-9074-e91b8c903837?source=api-prod",19,{"id":99,"url_slug":100,"title":89,"description":101,"plugin_slug":4,"theme_slug":38,"affected_versions":91,"patched_in_version":102,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":103,"updated_date":104,"references":105,"days_to_patch":107},"CVE-2025-57921","frontend-file-manager-missing-authorization-2","The Frontend File Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 23.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.","23.4","2025-09-22 00:00:00","2025-11-17 20:55:46",[106],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8ff66981-68ed-489a-b53f-4a1029e7590e?source=api-prod",57,{"id":109,"url_slug":110,"title":111,"description":112,"plugin_slug":4,"theme_slug":38,"affected_versions":113,"patched_in_version":114,"severity":52,"cvss_score":53,"cvss_vector":115,"vuln_type":43,"published_date":116,"updated_date":117,"references":118,"days_to_patch":120},"CVE-2023-7306","frontend-file-manager-missing-authorization-to-unauthenticated-arbitrary-post-deletion","Frontend File Manager \u003C= 21.5 - Missing Authorization to Unauthenticated Arbitrary Post Deletion","The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to delete arbitrary posts.","\u003C=21.5","22.0","CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","2025-07-24 00:00:00","2025-08-05 20:12:35",[119],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fabf422ce-fa03-4bed-a4ec-b31d36de7633?source=api-prod",13,{"id":122,"url_slug":123,"title":124,"description":125,"plugin_slug":4,"theme_slug":38,"affected_versions":91,"patched_in_version":38,"severity":40,"cvss_score":79,"cvss_vector":80,"vuln_type":43,"published_date":126,"updated_date":127,"references":128,"days_to_patch":38},"CVE-2025-27358","frontend-file-manager-missing-authorization-to-authenticated-subscriber-content-injection","Frontend File Manager \u003C= 23.2 - Missing Authorization to Authenticated (Subscriber+) Content Injection","The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 23.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject content.","2025-07-04 00:00:00","2025-07-08 19:51:21",[129],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd6de5295-cb13-4e53-bcb2-3fc6c95b849a?source=api-prod",{"id":131,"url_slug":132,"title":133,"description":134,"plugin_slug":4,"theme_slug":38,"affected_versions":135,"patched_in_version":136,"severity":40,"cvss_score":41,"cvss_vector":137,"vuln_type":138,"published_date":139,"updated_date":140,"references":141,"days_to_patch":29},"CVE-2024-25903","frontend-file-manager-sensitive-information-exposure-via-user-uploads","Frontend File Manager \u003C= 22.7 - Sensitive Information Exposure via user uploads","The Frontend File Manager Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 22.7 via the user upload functionality. This makes it possible for unauthenticated attackers to access user-uploaded files.","\u003C=22.7","22.8","CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2024-02-12 00:00:00","2024-02-14 20:43:50",[142],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbbade634-cd81-41c0-8976-f5cb251da3f2?source=api-prod",{"id":144,"url_slug":145,"title":146,"description":147,"plugin_slug":4,"theme_slug":38,"affected_versions":148,"patched_in_version":149,"severity":150,"cvss_score":151,"cvss_vector":152,"vuln_type":153,"published_date":154,"updated_date":155,"references":156,"days_to_patch":158},"CVE-2023-5105","frontend-file-manager-plugin-authenticated-editor-directory-traversal","Frontend File Manager Plugin \u003C= 22.5 - Authenticated (Editor+) Directory Traversal","The Frontend File Manager Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 22.5. This makes it possible for authenticated attackers, with editor access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.","\u003C=22.5","22.6","critical",9.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:C\u002FC:H\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2023-11-13 00:00:00","2024-01-22 19:56:02",[157],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb59b5c41-6173-485e-869d-4165dc18e2bd?source=api-prod",71,{"id":160,"url_slug":161,"title":162,"description":163,"plugin_slug":4,"theme_slug":38,"affected_versions":164,"patched_in_version":165,"severity":52,"cvss_score":166,"cvss_vector":167,"vuln_type":168,"published_date":169,"updated_date":155,"references":170,"days_to_patch":172},"CVE-2022-3126","frontend-file-manager-plugin-cross-site-request-forgery-to-file-upload","Frontend File Manager Plugin \u003C= 21.2 - Cross-Site Request Forgery to File Upload","The \"Frontend File Manager Plugin\" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 21.2. This is due to missing or incorrect nonce validation on the wpfm_upload_file function. This makes it possible for unauthenticated attackers to upload files on behalf of other users, via forged request granted they can trick such a user into performing an action such as clicking on a link.","\u003C=21.2","21.3",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Cross-Site Request Forgery (CSRF)","2022-09-26 00:00:00",[171],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F361e2d5c-4355-4e71-91aa-2c1bc6b6fb78?source=api-prod",484,{"id":174,"url_slug":175,"title":176,"description":177,"plugin_slug":4,"theme_slug":38,"affected_versions":164,"patched_in_version":165,"severity":52,"cvss_score":166,"cvss_vector":178,"vuln_type":179,"published_date":180,"updated_date":155,"references":181,"days_to_patch":183},"CVE-2022-3125","frontend-file-manager-authenticated-subscriber-arbitrary-file-upload","Frontend File Manager \u003C= 21.2 - Authenticated (Subscriber+) Arbitrary File Upload","The Frontend File Manager plugin for WordPress is vulnerable to arbitrary file uploads in versions up to, and including, 21.2. The vulnerability makes it possible for authenticated attackers, with subscriber-level permissions and above, to upload arbitrary files on the affected sites server and change their file extensions which may make remote code execution possible.","CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2022-09-07 00:00:00",[182],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F628eef73-1725-4290-bb30-07792d1d5b6c?source=api-prod",503,{"id":185,"url_slug":186,"title":187,"description":188,"plugin_slug":4,"theme_slug":38,"affected_versions":164,"patched_in_version":165,"severity":40,"cvss_score":189,"cvss_vector":190,"vuln_type":43,"published_date":180,"updated_date":191,"references":192,"days_to_patch":194},"CVE-2022-3124","frontend-file-manager-missing-authorization-3","Frontend File Manager \u003C= 21.2 - Missing Authorization","The Frontend File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check and lacking authentication in versions up to, and including, 21.2. This makes it possible for unauthenticated attackers to rename uploaded files on the site.",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:L","2025-05-30 21:03:46",[193],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc56e5250-7cbd-41f4-9b8c-79a644830708?source=api-prod",997,{"id":196,"url_slug":197,"title":198,"description":199,"plugin_slug":4,"theme_slug":38,"affected_versions":200,"patched_in_version":201,"severity":52,"cvss_score":166,"cvss_vector":167,"vuln_type":168,"published_date":202,"updated_date":155,"references":203,"days_to_patch":205},"WF-59b63a01-fd8b-4742-a52f-c0a7b59e9e04-nmedia-user-file-uploader","frontend-file-manager-cross-site-request-forgery-to-plugin-settings-update","Frontend File Manager \u003C= 21.3 - Cross-Site Request Forgery to Plugin Settings Update","The Frontend File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 21.3. This is due to missing or incorrect nonce validation on the wpfm_save_settings function. This makes it possible for unauthenticated attackers to modify the plugin's settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.","\u003C=21.3","21.4","2022-09-06 00:00:00",[204],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F59b63a01-fd8b-4742-a52f-c0a7b59e9e04?source=api-prod",504,{"id":207,"url_slug":208,"title":209,"description":210,"plugin_slug":4,"theme_slug":38,"affected_versions":211,"patched_in_version":212,"severity":40,"cvss_score":213,"cvss_vector":214,"vuln_type":215,"published_date":216,"updated_date":155,"references":217,"days_to_patch":219},"CVE-2021-4344","frontend-file-manager-privilege-escalation","Frontend File Manager \u003C= 18.2 - Privilege Escalation","The Frontend File Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 18.2. This is due to lacking mishandling the use of user IDs that is accessible by the visitor. This makes it possible for unauthenticated or authenticated attackers to access the information and privileges of other users, including 'guest users', in their own category (authenticated, or unauthenticated guests).","\u003C18.3","18.3",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Authorization","2021-07-12 00:00:00",[218],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F28a7b2c9-5d8d-4b49-a47c-473e3288b563?source=api-prod",925,{"id":221,"url_slug":222,"title":223,"description":224,"plugin_slug":4,"theme_slug":38,"affected_versions":211,"patched_in_version":212,"severity":52,"cvss_score":225,"cvss_vector":226,"vuln_type":43,"published_date":216,"updated_date":155,"references":227,"days_to_patch":219},"CVE-2021-4350","frontend-file-manager-unauthenticated-html-injection-leading-to-spam-emails","Frontend File Manager \u003C= 18.2 - Unauthenticated HTML Injection leading to Spam Emails","The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated HTML Injection in versions up to, and including, 18.2. This is due to lacking authentication protections on the wpfm_send_file_in_email AJAX action. This makes it possible for unauthenticated attackers to send emails using the site with a custom subject, recipient email, and body with unsanitized HTML content.  This effectively lets the attacker use the site as a spam relay.",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:N\u002FI:L\u002FA:L",[228],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F49150180-9de0-4318-b21b-779daaeb7a52?source=api-prod",{"id":230,"url_slug":231,"title":232,"description":233,"plugin_slug":4,"theme_slug":38,"affected_versions":211,"patched_in_version":212,"severity":40,"cvss_score":234,"cvss_vector":235,"vuln_type":43,"published_date":216,"updated_date":155,"references":236,"days_to_patch":219},"CVE-2021-4351","frontend-file-manager-unauthenticated-post-meta-change","Frontend File Manager \u003C= 18.2 - Unauthenticated Post Meta Change","The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Post Meta Change in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to change the meta data of certain posts and pages.",5.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:N\u002FI:L\u002FA:N",[237],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5539aa79-66ad-43fa-967c-2bec877061e0?source=api-prod",{"id":239,"url_slug":240,"title":241,"description":242,"plugin_slug":4,"theme_slug":38,"affected_versions":211,"patched_in_version":212,"severity":150,"cvss_score":243,"cvss_vector":244,"vuln_type":43,"published_date":216,"updated_date":155,"references":245,"days_to_patch":219},"CVE-2021-4356","frontend-file-manager-unauthenticated-arbitrary-file-download","Frontend File Manager \u003C= 18.2 - Unauthenticated Arbitrary File Download","The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download\r\n in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover.",9,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:C\u002FC:H\u002FI:H\u002FA:H",[246],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F79e2011c-5e4d-4d02-831f-6b4dcfcaa51e?source=api-prod",{"id":248,"url_slug":249,"title":250,"description":251,"plugin_slug":4,"theme_slug":38,"affected_versions":211,"patched_in_version":212,"severity":40,"cvss_score":189,"cvss_vector":190,"vuln_type":43,"published_date":216,"updated_date":155,"references":252,"days_to_patch":219},"CVE-2021-4359","frontend-file-manager-plugin-unauthenticated-arbitrary-post-deletion","Frontend File Manager Plugin \u003C= 18.2 - Unauthenticated Arbitrary Post Deletion","The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 18.2. This is due to lacking authentication protections and lacking a security nonce on the wpfm_delete_file AJAX action. This makes it possible for unauthenticated attackers to delete any posts and pages on the site.",[253],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F84c61d00-20c1-4176-a74d-ea6ff6220f26?source=api-prod",{"id":255,"url_slug":256,"title":257,"description":258,"plugin_slug":4,"theme_slug":38,"affected_versions":211,"patched_in_version":212,"severity":52,"cvss_score":225,"cvss_vector":259,"vuln_type":260,"published_date":216,"updated_date":155,"references":261,"days_to_patch":219},"CVE-2021-4365","frontend-file-manager-unauthenticated-stored-cross-site-scripting","Frontend File Manager \u003C= 18.2 - Unauthenticated Stored Cross-Site Scripting","The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to, and including, 18.2. This is due to lacking authentication protections and santisation all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",[262],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa9c82154-d390-44ba-a54a-89f4bb69cdce?source=api-prod",{"id":264,"url_slug":265,"title":266,"description":267,"plugin_slug":4,"theme_slug":38,"affected_versions":211,"patched_in_version":212,"severity":150,"cvss_score":268,"cvss_vector":269,"vuln_type":43,"published_date":216,"updated_date":155,"references":270,"days_to_patch":219},"CVE-2021-4368","frontend-file-manager-authenticated-settings-change-leading-to-arbitrary-file-upload","Frontend File Manager \u003C= 18.2 - Authenticated Settings Change leading to Arbitrary File Upload","The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types.  This can lead to remote code execution through other vulnerabilities.",9.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:H\u002FI:H\u002FA:H",[271],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fadb1d8b0-b1d6-40df-b591-f1062ee744fb?source=api-prod",{"id":273,"url_slug":274,"title":275,"description":276,"plugin_slug":4,"theme_slug":38,"affected_versions":211,"patched_in_version":212,"severity":40,"cvss_score":234,"cvss_vector":235,"vuln_type":43,"published_date":216,"updated_date":155,"references":277,"days_to_patch":219},"CVE-2021-4369","frontend-file-manager-unauthenticated-content-injection","Frontend File Manager \u003C= 18.2 - Unauthenticated Content Injection","The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Content Injection in versions up to, and including, 18.2. This is due to lacking authorization protections, checks against users editing other's posts, and lacking a security nonce, all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to edit the content and title of every page on the site.",[278],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc434e6b8-0dd5-4ffe-93b1-1af614c08f85?source=api-prod",{"id":280,"url_slug":281,"title":282,"description":283,"plugin_slug":4,"theme_slug":38,"affected_versions":284,"patched_in_version":285,"severity":150,"cvss_score":286,"cvss_vector":287,"vuln_type":179,"published_date":288,"updated_date":289,"references":290,"days_to_patch":292},"CVE-2016-15042","frontend-file-manager-n-media-post-front-end-form-arbitrary-file-upload","Frontend File Manager \u003C 4.0 & N-Media Post Front-end Form \u003C 1.1 & - Arbitrary File Upload","The Frontend File Manager (versions \u003C 4.0), N-Media Post Front-end Form (versions \u003C 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the `nm_filemanager_upload_file` and `nm_postfront_upload_file` AJAX actions. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.","\u003C4.0","4.0",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","2016-07-16 00:00:00","2024-10-16 07:31:49",[291],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2c1e6298-f243-49a5-b1b7-52bd6a6c8858?source=api-prod",3014,{"id":294,"url_slug":295,"title":296,"description":297,"plugin_slug":4,"theme_slug":38,"affected_versions":298,"patched_in_version":299,"severity":150,"cvss_score":286,"cvss_vector":287,"vuln_type":179,"published_date":300,"updated_date":155,"references":301,"days_to_patch":303},"WF-f2ed5e51-8783-4b7f-9177-c116bf0fad44-nmedia-user-file-uploader","frontend-file-manager-arbitrary-file-upload","Frontend File Manager \u003C= 3.7 - Arbitrary File Upload","The Frontend File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.","\u003C=3.7","3.8","2015-06-10 00:00:00",[302],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff2ed5e51-8783-4b7f-9177-c116bf0fad44?source=api-prod",3149,{"id":305,"url_slug":306,"title":307,"description":308,"plugin_slug":4,"theme_slug":38,"affected_versions":309,"patched_in_version":310,"severity":52,"cvss_score":166,"cvss_vector":178,"vuln_type":179,"published_date":311,"updated_date":155,"references":312,"days_to_patch":314},"CVE-2014-5324","frontend-file-manager-plugin-arbitrary-file-upload","Frontend File Manager Plugin \u003C 3.6 - Arbitrary File Upload","The Frontend File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the _template_uploader.php file in versions up to, and including, 3.5. This makes it possible for authenticated attackers, with author-level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.","\u003C3.6","3.6","2014-09-25 00:00:00",[313],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8a11c169-a232-49a9-80be-40d45d0c6dc0?source=api-prod",3407,{"slug":316,"display_name":7,"profile_url":8,"plugin_count":317,"total_installs":318,"avg_security_score":319,"avg_patch_time_days":320,"trust_score":321,"computed_at":322},"nmedia",23,4840,85,588,69,"2026-04-04T05:40:37.411Z",[324,350,372,389],{"slug":325,"name":326,"version":327,"author":328,"author_profile":329,"description":330,"short_description":331,"active_installs":332,"downloaded":333,"rating":334,"num_ratings":335,"last_updated":336,"tested_up_to":16,"requires_at_least":337,"requires_php":338,"tags":339,"homepage":344,"download_link":345,"security_score":346,"vuln_count":347,"unpatched_count":348,"last_vuln_date":349,"fetched_at":31},"multiline-files-for-contact-form-7","MultiLine Files for Contact Form 7","3.1.0","Maulik Vora","https:\u002F\u002Fprofiles.wordpress.org\u002Fzluck\u002F","\u003Cp>\u003Cstrong>MultiLine Files for Contact Form 7\u003C\u002Fstrong> is the ultimate solution for adding multiple file upload functionality to your Contact Form 7 forms. Whether you’re collecting documents, images, videos, or any other file types, this plugin provides a seamless, user-friendly experience that enhances your forms’ capabilities.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Why Choose MultiLine Files for Contact Form 7?\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>✅ \u003Cstrong>Unlimited File Uploads\u003C\u002Fstrong> – No restrictions on the number of files users can upload\u003Cbr \u002F>\n✅ \u003Cstrong>Intuitive User Interface\u003C\u002Fstrong> – Clean, responsive design that works on all devices\u003Cbr \u002F>\n✅ \u003Cstrong>Smart File Management\u003C\u002Fstrong> – Users can preview, remove, and manage files before submission\u003Cbr \u002F>\n✅ \u003Cstrong>Automatic ZIP Compression\u003C\u002Fstrong> – All files are automatically compressed into a single ZIP file for easy email delivery\u003Cbr \u002F>\n✅ \u003Cstrong>Advanced Security\u003C\u002Fstrong> – Built-in file type validation, size limits, and security measures\u003Cbr \u002F>\n✅ \u003Cstrong>Easy Integration\u003C\u002Fstrong> – Works seamlessly with Contact Form 7 without complex setup\u003Cbr \u002F>\n✅ \u003Cstrong>Fully Responsive\u003C\u002Fstrong> – Perfect experience on desktop, tablet, and mobile devices\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Perfect For:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Document submission forms\u003C\u002Fli>\n\u003Cli>Portfolio uploads\u003C\u002Fli>\n\u003Cli>Job application forms\u003C\u002Fli>\n\u003Cli>Support ticket systems\u003C\u002Fli>\n\u003Cli>Content submission platforms\u003C\u002Fli>\n\u003Cli>Any form requiring multiple file attachments\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>How to change style?\u003C\u002Fh3>\n\u003Cp>If you want to change our plugin button or others file listing style and apply your custom style please add your custom css in your theme’s css file. Adding style in child theme is recommended. Here I have shown style guide for button and listing. so, you can easily update style of the elements.\u003C\u002Fp>\n\u003Col>\n\u003Cli>\n\u003Cp>\u003Cstrong>Buttton style:\u003C\u002Fstrong> \u003Ccode>#mfcf7_zl_add_file { background-color: #004834; }\u003C\u002Fcode>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>‘X’ icon style:\u003C\u002Fstrong> \u003Ccode>.mfcf7_zl_multifilecontainer p .mfcf7_zl_delete_file i { color: azure; }\u003C\u002Fcode>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Selected file name style:\u003C\u002Fstrong> \u003Ccode>.mfcf7-zl-multifile-name { color: black; }\u003C\u002Fcode>\u003C\u002Fp>\n\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch3>Premium Features\u003C\u002Fh3>\n\u003Cp>\u003Cstrong>Upgrade to Pro for Advanced Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>🎯 \u003Cstrong>Multiple Upload Buttons\u003C\u002Fstrong> – Add multiple file upload fields in the same form\u003C\u002Fli>\n\u003Cli>📊 \u003Cstrong>File Limits\u003C\u002Fstrong> – Set minimum and maximum file count limits\u003C\u002Fli>\n\u003Cli>🎨 \u003Cstrong>Custom Positioning\u003C\u002Fstrong> – Change the location of the file list display\u003C\u002Fli>\n\u003Cli>🗑️ \u003Cstrong>Individual File Removal\u003C\u002Fstrong> – Remove files one by one even when selected together\u003C\u002Fli>\n\u003Cli>🚀 \u003Cstrong>Priority Support\u003C\u002Fstrong> – Get faster response times and dedicated support\u003C\u002Fli>\n\u003Cli>🔧 \u003Cstrong>Advanced Customization\u003C\u002Fstrong> – More styling and configuration options\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002F1.envato.market\u002F9W6qL4\" rel=\"nofollow ugc\">Get Pro Version Now\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Need Help?\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>📧 \u003Cstrong>Email Support\u003C\u002Fstrong>: Contact us through the WordPress.org support forums\u003C\u002Fli>\n\u003Cli>🐛 \u003Cstrong>Bug Reports\u003C\u002Fstrong>: Report issues on our GitHub repository\u003C\u002Fli>\n\u003Cli>💡 \u003Cstrong>Feature Requests\u003C\u002Fstrong>: Suggest new features via our support channels\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy Policy\u003C\u002Fh3>\n\u003Cp>This plugin does not collect, store, or transmit any personal data. All file uploads are handled locally on your server and are not sent to any third-party services. Files are temporarily stored during form submission and are automatically cleaned up after processing.\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cp>Developed by \u003Ca href=\"https:\u002F\u002Fprofiles.wordpress.org\u002Fzluck\" rel=\"nofollow ugc\">Zluck Solutions\u003C\u002Fa> with ❤️ for the WordPress community.\u003C\u002Fp>\n\u003Ch3>Donate\u003C\u002Fh3>\n\u003Cp>If you find this plugin helpful, please consider \u003Ca href=\"https:\u002F\u002Fwww.buymeacoffee.com\u002Fzluck\" rel=\"nofollow ugc\">buying us a coffee\u003C\u002Fa> to support continued development and maintenance.\u003C\u002Fp>\n","Upload unlimited files to Contact Form 7 with an intuitive interface, file management, and automatic ZIP compression for email delivery.",10000,124058,98,49,"2025-12-15T11:24:00.000Z","5.6","7.4",[340,341,20,342,343],"contact-form-7","file-attachment","form-plugin","multiple-file-upload","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fmultiline-files-for-contact-form-7\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmultiline-files-for-contact-form-7.3.1.0.zip",99,1,0,"2024-10-15 00:00:00",{"slug":351,"name":352,"version":353,"author":354,"author_profile":355,"description":356,"short_description":357,"active_installs":358,"downloaded":359,"rating":348,"num_ratings":348,"last_updated":360,"tested_up_to":16,"requires_at_least":361,"requires_php":338,"tags":362,"homepage":367,"download_link":368,"security_score":369,"vuln_count":370,"unpatched_count":348,"last_vuln_date":371,"fetched_at":31},"gf-multi-uploader","Multi Uploader for Gravity Forms","1.1.8","sh1zen","https:\u002F\u002Fprofiles.wordpress.org\u002Fsh1zen\u002F","\u003Cp>This is an advanced upload plugin for those who need a little more than the default multi file upload of Gravity Forms.\u003C\u002Fp>\n\u003Cp>The plugin options page provides you with granular control over many Plupload parameters from file extension filters to chunked uploading and runtimes.\u003C\u002Fp>\n\u003Cp>All files are uploaded to the WordPress media library on successful form submission making for easy access and management.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>FEATURES\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>\u003Cem>Safety:\u003C\u002Fem>\u003C\u002Fstrong> validation of both file extension and mime type.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Cem>Privacy:\u003C\u002Fem>\u003C\u002Fstrong> filenames changed once added to media library.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Cem>Advanced Customization:\u003C\u002Fem>\u003C\u002Fstrong> many options and many hooks to modify any plugin rule.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Cem>Large File Support:\u003C\u002Fem>\u003C\u002Fstrong> enabled by chunked file uploads.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Cem>Media library integration:\u003C\u002Fem>\u003C\u002Fstrong> all files are uploaded to the WordPress media library on successful form submission making for easy access and management.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>\u003Cem>Entry list creation integration:\u003C\u002Fem>\u003C\u002Fstrong>  A list of all correctly uploaded files, with relative link.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>DONATIONS\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>This plugin is free and always will be, but if you are feeling generous and want to show your support, you can buy me a\u003Cbr \u002F>\nbeer or coffee \u003Ca href=\"https:\u002F\u002Fwww.paypal.com\u002Fdonate?business=dev.sh1zen%40outlook.it&item_name=Thank+you+in+advanced+for+the+kind+donations.+You+will+sustain+me+developing+GF-Multi-Uploader.&currency_code=EUR\" rel=\"nofollow ugc\">here\u003C\u002Fa>, I will really appreciate it.\u003C\u002Fp>\n\u003Ch3>Hooks\u003C\u002Fh3>\n\u003Cp>Filters:\u003Cbr \u002F>\n* ‘gfmu_plugin_locale’\u003Cbr \u002F>\n* ‘gfmu_before_attach_uploads’\u003Cbr \u002F>\n* ‘gfmu_maybe_insert_attachment’\u003Cbr \u002F>\n* ‘gfmu_server_validation_args’\u003Cbr \u002F>\n* ‘gfmu_insert_attachment_args’\u003Cbr \u002F>\n* ‘gfmu_field_options’\u003Cbr \u002F>\n* ‘gfmu_save_entry’\u003C\u002Fp>\n","Chunked Multiple file uploads, from images, videos to pdf. Files stored in WP Media Library.",30,4277,"2025-12-16T17:57:00.000Z","5.0",[20,363,364,365,366],"gravity-forms","gravity-forms-uploader","plupload","uploader","https:\u002F\u002Fgithub.com\u002Fsh1zen\u002Fgf-multi-uploader","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgf-multi-uploader.1.1.8.zip",88,2,"2025-12-11 15:06:36",{"slug":373,"name":374,"version":375,"author":376,"author_profile":377,"description":378,"short_description":379,"active_installs":27,"downloaded":380,"rating":348,"num_ratings":348,"last_updated":381,"tested_up_to":382,"requires_at_least":383,"requires_php":384,"tags":385,"homepage":18,"download_link":388,"security_score":319,"vuln_count":348,"unpatched_count":348,"last_vuln_date":38,"fetched_at":31},"file-uploader-tektonic-solutions","File Uploader – Tektonic Solutions","1.0.0","Tektonic Solutions","https:\u002F\u002Fprofiles.wordpress.org\u002Ftektonicsolutions\u002F","\u003Cp>This plugin makes it easy for end users on your website to upload files. You need just need to paste the following shortcode in the page or post content:\u003Cbr \u002F>\n    [tektonic_file_upload]\u003C\u002Fp>\n\u003Cp>For drag-and-drop and other extra features please see the \u003Ca href=\"https:\u002F\u002Fwww.tektonicsolutions.com\u002Fts_plugin\u002Ffile-uploader-pro-with-drag-n-drop\u002F\" rel=\"nofollow ugc\">PRO version\u003C\u002Fa>\u003C\u002Fp>\n\u003Cp>Features:\u003C\u002Fp>\n\u003Col>\n\u003Cli>File type restriction – you can add any file type from the settings.\u003C\u002Fli>\n\u003Cli>Hotlinking of the images – the user who has just uploaded a file can click the link and go and check it.\u003C\u002Fli>\n\u003Cli>The user can delete the uploaded file if they wish, as long as they don’t refresh the page. \u003C\u002Fli>\n\u003Cli>The plugin includes two types of incrementing progress bar – circular and bar-shape.\u003C\u002Fli>\n\u003Cli>Admin can select whether to show or hide the incrementing progress bar.\u003C\u002Fli>\n\u003Cli>All uploaded files are added to the default upload folder, and can be seen and adminstered in the Media section of the Admin Sidebar.\u003C\u002Fli>\n\u003C\u002Fol>\n","Tektonic Solutions File Uploader plugin lets a logged-in end-user on your website upload files one at a time.",1182,"2019-10-26T16:11:00.000Z","5.2.24","4.8","5.6.30",[20,386,387],"fileupload","page","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ffile-uploader-tektonic-solutions.1.0.0.zip",{"slug":390,"name":391,"version":392,"author":393,"author_profile":394,"description":395,"short_description":396,"active_installs":27,"downloaded":397,"rating":348,"num_ratings":348,"last_updated":398,"tested_up_to":399,"requires_at_least":400,"requires_php":18,"tags":401,"homepage":406,"download_link":407,"security_score":319,"vuln_count":348,"unpatched_count":348,"last_vuln_date":38,"fetched_at":31},"wp-editor-imgur-button","WP Editor Imgur Button","1.1","codehay","https:\u002F\u002Fprofiles.wordpress.org\u002Fcodehay\u002F","\u003Cp>Insert button upload image to imgur.com using api and add to comment box\u003C\u002Fp>\n\u003Cp>In wp-admin click Setting \u002F Imgur Uploader Settings to insert imgur Client ID before start plugin, if you checked Add TinyMCE to Comments box checkbox it will add tinymce editor in comments box in frontend.\u003C\u002Fp>\n","Insert button upload image to imgur.com using api and add to comment box",1950,"2016-08-02T15:18:00.000Z","4.5.33","1.0",[22,402,403,404,405],"imgur","imgur-comment","imgur-plugin","imgur-uploader","http:\u002F\u002Fcodehay.net\u002Fq\u002Fplugin-them-button-upload-anh-len-imgur-com-cho-tinymce-editor\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-editor-imgur-button.zip",{"attackSurface":409,"codeSignals":566,"taintFlows":689,"riskAssessment":779,"analyzedAt":795},{"hooks":410,"ajaxHandlers":536,"restRoutes":543,"shortcodes":551,"cronEvents":564,"entryPointCount":565,"unprotectedCount":347},[411,417,423,428,432,435,440,445,449,452,456,459,463,466,470,474,478,482,486,489,493,497,501,505,509,513,517,521,525,529,532],{"type":412,"name":413,"callback":414,"file":415,"line":416},"filter","ffmwp_the_context","closure","inc\\classes\\class.frontend.php",34,{"type":418,"name":419,"callback":420,"file":421,"line":422},"action","admin_enqueue_scripts","add_scripts","inc\\classes\\class.meta.php",15,{"type":418,"name":424,"callback":425,"file":426,"line":427},"rest_api_init","rest_api","inc\\classes\\class.rest.php",11,{"type":418,"name":419,"callback":429,"file":430,"line":431},"load_script","inc\\deactivate.class.php",17,{"type":418,"name":433,"callback":434,"file":430,"line":97},"admin_footer","deactivate_scripts",{"type":418,"name":436,"callback":437,"file":438,"line":439},"wp_enqueue_scripts","load_input_scripts","inc\\inputs\\input.date.php",31,{"type":418,"name":441,"callback":442,"file":443,"line":444},"init","init_plugin","wp-file-manager.php",65,{"type":418,"name":446,"callback":447,"priority":346,"file":443,"line":448},"before_delete_post","wpfm_admin_delete_files",76,{"type":418,"name":450,"callback":451,"file":443,"line":13},"admin_menu","wpfm_admin_add_menu_pages",{"type":412,"name":453,"callback":454,"priority":27,"file":443,"line":455},"admin_url","wpfm_change_add_new_link",82,{"type":418,"name":450,"callback":457,"file":443,"line":458},"hide_new_file_menu_cpt",84,{"type":412,"name":460,"callback":461,"file":443,"line":462},"query_vars","add_query_var",87,{"type":418,"name":419,"callback":464,"file":443,"line":465},"wpfm_admin_load_scripts",90,{"type":418,"name":467,"callback":468,"priority":27,"file":443,"line":469},"save_post","save_page",97,{"type":418,"name":471,"callback":472,"priority":27,"file":443,"line":473},"wpfm_after_directory_post_saved","wpfm_hooks_after_dir_saved",100,{"type":418,"name":475,"callback":476,"priority":27,"file":443,"line":477},"wpfm_after_file_post_save","wpfm_hooks_after_file_saved",101,{"type":418,"name":479,"callback":480,"priority":27,"file":443,"line":481},"wpfm_file_meta_saving","wpfm_hooks_file_meta_save",102,{"type":418,"name":483,"callback":484,"priority":27,"file":443,"line":485},"wpfm_after_all_files_post_save","wpfm_hooks_send_notification",103,{"type":418,"name":483,"callback":487,"priority":27,"file":443,"line":488},"wpfm_user_upload_files_counter",104,{"type":412,"name":490,"callback":491,"priority":27,"file":443,"line":492},"wpfm_uploaded_filename","wpfm_hook_rename_file",105,{"type":412,"name":494,"callback":495,"file":443,"line":496},"manage_edit-wpfm-files_columns","wpfm_cpt_cloumns",108,{"type":418,"name":498,"callback":499,"priority":27,"file":443,"line":500},"manage_wpfm-files_posts_custom_column","wpfm_cpt_columns_data",109,{"type":412,"name":502,"callback":503,"file":443,"line":504},"manage_edit-wpfm-files_sortable_columns","wpfm_cpt_columns_sorted",110,{"type":412,"name":506,"callback":507,"priority":346,"file":443,"line":508},"wpfm_top_menu","wpfm_hooks_logout_link_nav_bar",114,{"type":412,"name":510,"callback":511,"file":443,"line":512},"intermediate_image_sizes_advanced","prevent_thumbs_generation",117,{"type":412,"name":514,"callback":515,"priority":27,"file":443,"line":516},"wpfm_wp_files_query","wpfm_hooks_update_query",124,{"type":418,"name":518,"callback":519,"file":443,"line":520},"admin_footer-edit.php","adding_file_details",128,{"type":412,"name":522,"callback":523,"file":443,"line":524},"theme_page_templates","wpfm_hooks_register_template",131,{"type":412,"name":526,"callback":527,"file":443,"line":528},"page_template","wpfm_hooks_load_page_template",132,{"type":418,"name":446,"callback":530,"file":443,"line":531},"wpfm_hooks_delete_attached_media",135,{"type":418,"name":533,"callback":534,"file":443,"line":535},"plugins_loaded","wpfm",284,[537],{"action":538,"nopriv":539,"callback":540,"hasNonce":541,"hasCapCheck":541,"file":430,"line":542},"wpfm_submit_uninstall_reason",false,"send_uninstall_reason",true,20,[544],{"namespace":545,"route":546,"methods":547,"callback":549,"permissionCallback":550,"file":426,"line":431},"wpfm\u002Fv1","\u002Ffile-rename",[548],"POST","rename_file","__return_true",[552,555,557,561],{"tag":553,"callback":554,"file":415,"line":358},"nm-wp-file-uploader","ffmwp_render_frontend",{"tag":556,"callback":554,"file":415,"line":439},"ffmwp",{"tag":558,"callback":559,"file":443,"line":560},"nm-wp-file-uploader-legacy","wpfm_shortcode_render",263,{"tag":534,"callback":562,"file":443,"line":563},"wpfm_shortcode_files",266,[],6,{"dangerousFunctions":567,"sqlUsage":568,"outputEscaping":570,"fileOperations":683,"externalRequests":347,"nonceChecks":120,"capabilityChecks":684,"bundledLibraries":685},[],{"prepared":348,"raw":348,"locations":569},[],{"escaped":571,"rawEcho":572,"locations":573},361,56,[574,578,580,581,584,586,588,589,590,593,596,597,599,601,603,605,607,609,611,614,617,620,623,626,628,631,633,636,638,640,641,642,644,645,647,650,651,653,655,656,658,659,661,663,664,665,667,669,670,671,673,674,675,677,678,681],{"file":575,"line":576,"context":577},"inc\\admin.php",137,"raw output",{"file":415,"line":579,"context":577},67,{"file":421,"line":319,"context":577},{"file":582,"line":583,"context":577},"inc\\cpt.php",165,{"file":582,"line":585,"context":577},169,{"file":582,"line":587,"context":577},173,{"file":430,"line":485,"context":577},{"file":430,"line":485,"context":577},{"file":591,"line":592,"context":577},"inc\\files.php",868,{"file":594,"line":595,"context":577},"inc\\helpers.php",68,{"file":594,"line":13,"context":577},{"file":594,"line":598,"context":577},96,{"file":594,"line":600,"context":577},1162,{"file":602,"line":524,"context":577},"inc\\inputs\\input.checkbox.php",{"file":438,"line":604,"context":577},112,{"file":438,"line":606,"context":577},127,{"file":608,"line":500,"context":577},"inc\\inputs\\input.email.php",{"file":610,"line":595,"context":577},"inc\\inputs\\input.hidden.php",{"file":612,"line":613,"context":577},"inc\\inputs\\input.radio.php",113,{"file":615,"line":616,"context":577},"inc\\inputs\\input.section.php",72,{"file":618,"line":619,"context":577},"inc\\inputs\\input.select.php",118,{"file":621,"line":622,"context":577},"inc\\inputs\\input.text.php",94,{"file":624,"line":625,"context":577},"inc\\inputs\\input.textarea.php",91,{"file":627,"line":358,"context":577},"inc\\shortcode.php",{"file":629,"line":630,"context":577},"templates\\admin\\add_new.php",14,{"file":629,"line":632,"context":577},36,{"file":634,"line":635,"context":577},"templates\\admin\\fields.php",41,{"file":634,"line":637,"context":577},50,{"file":634,"line":639,"context":577},54,{"file":634,"line":595,"context":577},{"file":634,"line":448,"context":577},{"file":634,"line":643,"context":577},107,{"file":634,"line":496,"context":577},{"file":634,"line":646,"context":577},111,{"file":648,"line":649,"context":577},"templates\\admin\\settings-legacy.php",38,{"file":648,"line":649,"context":577},{"file":648,"line":652,"context":577},44,{"file":648,"line":654,"context":577},53,{"file":648,"line":572,"context":577},{"file":648,"line":657,"context":577},86,{"file":648,"line":481,"context":577},{"file":660,"line":635,"context":577},"templates\\admin\\settings.php",{"file":660,"line":662,"context":577},42,{"file":660,"line":335,"context":577},{"file":660,"line":639,"context":577},{"file":660,"line":666,"context":577},62,{"file":660,"line":668,"context":577},78,{"file":660,"line":625,"context":577},{"file":660,"line":504,"context":577},{"file":672,"line":595,"context":577},"templates\\email\\template.email.1.php",{"file":672,"line":595,"context":577},{"file":672,"line":512,"context":577},{"file":676,"line":73,"context":577},"v22\\templates\\parts\\left\\index.php",{"file":676,"line":416,"context":577},{"file":679,"line":680,"context":577},"v22\\templates\\parts\\upload\\index.php",21,{"file":443,"line":682,"context":577},235,12,4,[686],{"name":687,"version":38,"knownCves":688},"Select2",[],[690,707,717,726,755,769],{"entryPoint":691,"graph":692,"unsanitizedCount":348,"severity":706},"wpfm_save_settings (inc\\admin.php:9)",{"nodes":693,"edges":704},[694,699],{"id":695,"type":696,"label":697,"file":575,"line":698},"n0","source","$_POST",106,{"id":700,"type":701,"label":702,"file":575,"line":500,"wp_function":703},"n1","sink","update_option() [Settings Manipulation]","update_option",[705],{"from":695,"to":700,"sanitized":541},"low",{"entryPoint":708,"graph":709,"unsanitizedCount":348,"severity":706},"wpfm_save_meta (inc\\admin.php:260)",{"nodes":710,"edges":715},[711,713],{"id":695,"type":696,"label":697,"file":575,"line":712},288,{"id":700,"type":701,"label":702,"file":575,"line":714,"wp_function":703},294,[716],{"from":695,"to":700,"sanitized":541},{"entryPoint":718,"graph":719,"unsanitizedCount":348,"severity":706},"\u003Cadmin> (inc\\admin.php:0)",{"nodes":720,"edges":724},[721,723],{"id":695,"type":696,"label":722,"file":575,"line":698},"$_POST (x2)",{"id":700,"type":701,"label":702,"file":575,"line":500,"wp_function":703},[725],{"from":695,"to":700,"sanitized":541},{"entryPoint":727,"graph":728,"unsanitizedCount":348,"severity":706},"wpfm_file_download (inc\\files.php:803)",{"nodes":729,"edges":751},[730,733,737,740,745,747],{"id":695,"type":696,"label":731,"file":591,"line":732},"$_REQUEST (x2)",808,{"id":700,"type":701,"label":734,"file":591,"line":735,"wp_function":736},"header() [Header Injection]",854,"header",{"id":738,"type":696,"label":739,"file":591,"line":732},"n2","$_REQUEST",{"id":741,"type":701,"label":742,"file":591,"line":743,"wp_function":744},"n3","fopen() [File Access]",865,"fopen",{"id":746,"type":696,"label":739,"file":591,"line":732},"n4",{"id":748,"type":701,"label":749,"file":591,"line":592,"wp_function":750},"n5","echo() [XSS]","echo",[752,753,754],{"from":695,"to":700,"sanitized":541},{"from":738,"to":741,"sanitized":541},{"from":746,"to":748,"sanitized":541},{"entryPoint":756,"graph":757,"unsanitizedCount":348,"severity":706},"\u003Cfiles> (inc\\files.php:0)",{"nodes":758,"edges":765},[759,760,761,762,763,764],{"id":695,"type":696,"label":731,"file":591,"line":732},{"id":700,"type":701,"label":734,"file":591,"line":735,"wp_function":736},{"id":738,"type":696,"label":739,"file":591,"line":732},{"id":741,"type":701,"label":742,"file":591,"line":743,"wp_function":744},{"id":746,"type":696,"label":739,"file":591,"line":732},{"id":748,"type":701,"label":749,"file":591,"line":592,"wp_function":750},[766,767,768],{"from":695,"to":700,"sanitized":541},{"from":738,"to":741,"sanitized":541},{"from":746,"to":748,"sanitized":541},{"entryPoint":770,"graph":771,"unsanitizedCount":348,"severity":706},"\u003Cfile-form> (v22\\templates\\parts\\upload\\file-form.php:0)",{"nodes":772,"edges":777},[773,776],{"id":695,"type":696,"label":774,"file":775,"line":27},"$_GET","v22\\templates\\parts\\upload\\file-form.php",{"id":700,"type":701,"label":749,"file":775,"line":97,"wp_function":750},[778],{"from":695,"to":700,"sanitized":541},{"summary":780,"deductions":781},"The nmedia-user-file-uploader plugin presents a mixed security posture.  While it demonstrates good practices in areas like SQL query sanitization (100% prepared statements) and a relatively high percentage of output escaping (87%), several concerning factors emerge. The static analysis highlights a total of 6 entry points, with 1 being unprotected, posing a direct risk of unauthorized access or manipulation.  Furthermore, the significant vulnerability history, with 25 known CVEs including 3 currently unpatched, is a major red flag. The prevalence of vulnerabilities such as Path Traversal, Authorization Bypass, and Unrestricted Uploads, coupled with the recent date of the last known vulnerability (even if in the future, suggesting a potential for ongoing discovery), indicates a pattern of recurring security weaknesses within the plugin.  The plugin has a considerable attack surface and a history of critical vulnerabilities that have not always been adequately addressed, leading to a heightened risk profile.",[782,784,786,788,791,793],{"reason":783,"points":542},"3 unpatched CVEs",{"reason":785,"points":27},"1 unprotected entry point",{"reason":787,"points":27},"1 REST API route without permission callback",{"reason":789,"points":790},"12 file operations (potential for misuse)",5,{"reason":792,"points":29},"Bundled Select2 library (potential for outdatedness)",{"reason":794,"points":684},"13% of outputs not properly escaped","2026-03-16T19:04:57.886Z",{"wat":797,"direct":826},{"assetPaths":798,"generatorPatterns":811,"scriptPaths":812,"versionParams":813},[799,800,801,802,803,804,805,806,807,808,809,810],"\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fcss\u002Fbootstrap.min.css","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fcss\u002Ffont-awesome.min.css","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fcss\u002Fnmedia-admin-style.css","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fcss\u002Fwpfm-style.css","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fbootstrap.min.js","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fjs\u002Ffile-upload.js","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fjquery.validate.min.js","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fmain.js","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fnm-admin-script.js","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fpdfobject.js","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fscript.js","\u002Fwp-content\u002Fplugins\u002Fnmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fuploader.js",[],[804,806,810,807,809,805,808,803],[814,815,816,817,818,819,820,821,822,823,824,825],"nmedia-user-file-uploader\u002Fassets\u002Fcss\u002Fbootstrap.min.css?ver=","nmedia-user-file-uploader\u002Fassets\u002Fcss\u002Ffont-awesome.min.css?ver=","nmedia-user-file-uploader\u002Fassets\u002Fcss\u002Fnmedia-admin-style.css?ver=","nmedia-user-file-uploader\u002Fassets\u002Fcss\u002Fwpfm-style.css?ver=","nmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fbootstrap.min.js?ver=","nmedia-user-file-uploader\u002Fassets\u002Fjs\u002Ffile-upload.js?ver=","nmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fjquery.validate.min.js?ver=","nmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fmain.js?ver=","nmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fnm-admin-script.js?ver=","nmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fpdfobject.js?ver=","nmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fscript.js?ver=","nmedia-user-file-uploader\u002Fassets\u002Fjs\u002Fuploader.js?ver=",{"cssClasses":827,"htmlComments":834,"htmlAttributes":839,"restEndpoints":843,"jsGlobals":847,"shortcodeOutput":851},[828,829,830,831,832,833],"wpfm-upload-button","wpfm-file-upload-form","wpfm-upload-progress-bar","wpfm-file-manager-container","nm-file-manager-table","wpfm-file-manager-header",[835,836,837,838],"\u003C!-- wpfm_add_file_manager -->","\u003C!-- Start of New FrontEnd -->","\u003C!-- End of New FrontEnd -->","\u003C!-- nmedia admin script -->",[840,841,842],"data-wpfm-upload-id","data-wpfm-file-path","data-wpfm-upload-url",[844,845,846],"\u002Fwp-json\u002Fwpfm\u002Fv1\u002Fupload","\u002Fwp-json\u002Fwpfm\u002Fv1\u002Ffiles","\u002Fwp-json\u002Fwpfm\u002Fv1\u002Fdelete",[848,849,850],"wpfm_settings","WPFM_Frontend","NmediaFileManager",[852,853,854],"[wpfm_file_manager]","[wpfm_upload_form]","[wpfm_download_list]"]