CVE-2025-13382 — Authorization Bypass Through User-Controlled Key in Frontend File Manager Plugin

CWE-639 — Authorization Bypass Through User-Controlled Key3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 85.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nmedia Frontend File Manager Plugin

Timeline

PublishedNov 25

Description

The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rename files uploaded by other users via the 'fileid' parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5nmedia/frontend_file_manager_plugin23.4

🔴Vulnerability Details

GHSA

GHSA-556h-cxm4-3558: The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23↗2025-11-25

▶

CVEList

Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming↗2025-11-25

▶