CVE-2025-14804

Frontend File Manager <= 23.4 - Authenticated (Subscriber+) Arbitrary File Deletion

highExternal Control of File Name or Path
8.1
CVSS Score
8.1
CVSS Score
high
Severity
23.5
Patched in
28d
Time to patch

Description

The Frontend File Manager Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 23.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=23.4
PublishedDecember 17, 2025
Last updatedJanuary 13, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept steps, or payloads for specific vulnerabilities. For information on securing WordPress plugins and preventing file-related vulnerabilities, I recommend reviewing the following resources: …

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept steps, or payloads for specific vulnerabilities.

For information on securing WordPress plugins and preventing file-related vulnerabilities, I recommend reviewing the following resources:

  • WordPress Plugin Handbook on Security: This guide covers essential security practices, including data validation, sanitization, and the proper use of nonces and capability checks.
  • Path Sanitization: Researching functions like wp_basename() and realpath() can provide insight into how to properly handle file paths and prevent directory traversal or arbitrary file deletion.
  • OWASP File System Security: The Open Web Application Security Project (OWASP) provides general guidance on preventing path traversal and protecting the file system from unauthorized access or modification.
  • Secure File Uploads and Management: Reviewing documentation on wp_handle_upload() and filesystem API best practices can help in building secure file management features.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Frontend File Manager plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 23.4 because it fails to properly validate user-supplied file paths. Authenticated users with Subscriber-level access or higher can exploit this flaw to delete sensitive server files, which can facilitate a site takeover or remote code execution.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.