CVE-2026-8380: WordPress Frontend File Manager Arbitrary Post Deletion

A critical authorization flaw, CVE-2026-8380, has been discovered in the WordPress plugin “Frontend File Manager” (nmedia-user-file-uploader), affecting versions 23.6 and earlier. This vulnerability allows authenticated users with low privileges (e.g., subscriber) to delete arbitrary WordPress content, including posts, pages, attachments, and custom post types. The root cause lies in improper authorization validation within the wpfm_delete_file AJAX action. When the plugin’s _allow_guest_upload option is enabled, the vulnerability becomes exploitable by unauthenticated attackers. Public exploit code is available, increasing the risk of exploitation against unpatched WordPress sites using the vulnerable plugin.

Attack Chain

1. Attacker visits a page containing the [ffmwp] shortcode to obtain a valid wpfm_ajax_nonce value.
2. Attacker crafts a POST request to /wp-admin/admin-ajax.php with the action parameter set to wpfm_delete_file.
3. The request includes the wpfm_ajax_nonce obtained in the previous step for CSRF protection (though this protection is insufficient).
4. The attacker sets the file_id parameter to the ID of a post they own, bypassing the initial authorization check.
5. The attacker injects the IDs of target posts (pages, attachments, etc.) into the file_ids[] array.
6. The vulnerable code iterates over the file_ids[] array and calls wp_delete_post() for each ID without validating ownership or post type.
7. wp_delete_post() is called with the bypass_trash argument set to true, permanently deleting the targeted content.
8. The attacker successfully deletes arbitrary content from the WordPress site.

Impact

Successful exploitation of CVE-2026-8380 can result in significant data loss and disruption of WordPress websites. An attacker can delete posts, pages, attachments, and custom post types, leading to defacement, denial of service, or exfiltration of sensitive information if attachments contained such data. The vulnerability affects all WordPress sites using the Frontend File Manager plugin version 23.6 or earlier. If the _allow_guest_upload option is enabled, exploitation requires no authentication, increasing the attack surface.

Recommendation

• Apply the vendor-supplied patch or upgrade to a version of the Frontend File Manager plugin that addresses CVE-2026-8380.
• Disable the _allow_guest_upload option in the Frontend File Manager plugin settings to prevent unauthenticated exploitation.
• Deploy the Sigma rule “Detect CVE-2026-8380 Exploitation Attempt via wp-admin AJAX” to identify potential exploitation attempts in web server logs.
• Deploy the Sigma rule “Detect CVE-2026-8380 Exploitation Attempt via admin-ajax POST Request” to detect the exploitation attempts.
• Monitor web server logs for POST requests to /wp-admin/admin-ajax.php with the action parameter set to wpfm_delete_file and unusual combinations of file_id and file_ids[] parameters.