CVE-2026-1280Missing Authorization in Frontend File Manager Plugin

CWE-862Missing AuthorizationCWE-668Resource Exposure5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 76.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nmedia Frontend File Manager Plugin
Timeline
PublishedJan 28
Latest updateApr 3

Description

The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to adm

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
SandboxJS: Sandbox Escape via Prop Object Leak in New Handler2026-04-03
CVEList
Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter2026-01-28
GHSA
GHSA-95g8-rf6q-22v9: The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_2026-01-28

🕵️Threat Intelligence

1
Wiz
CVE-2026-1280 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-1280 — Missing Authorization | cvebase