{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/frontend-file-manager-nmedia-user-file-uploader--23.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Frontend File Manager (nmedia-user-file-uploader) \u003c= 23.6"],"_cs_severities":["critical"],"_cs_tags":["cve","wordpress","authorization","privilege-escalation","arbitrary-deletion","plugin-vulnerability"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eA critical authorization flaw, CVE-2026-8380, has been discovered in the WordPress plugin \u0026ldquo;Frontend File Manager\u0026rdquo; (nmedia-user-file-uploader), affecting versions 23.6 and earlier. This vulnerability allows authenticated users with low privileges (e.g., subscriber) to delete arbitrary WordPress content, including posts, pages, attachments, and custom post types. The root cause lies in improper authorization validation within the \u003ccode\u003ewpfm_delete_file\u003c/code\u003e AJAX action. When the plugin\u0026rsquo;s \u003ccode\u003e_allow_guest_upload\u003c/code\u003e option is enabled, the vulnerability becomes exploitable by unauthenticated attackers. Public exploit code is available, increasing the risk of exploitation against unpatched WordPress sites using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker visits a page containing the \u003ccode\u003e[ffmwp]\u003c/code\u003e shortcode to obtain a valid \u003ccode\u003ewpfm_ajax_nonce\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewpfm_delete_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003ewpfm_ajax_nonce\u003c/code\u003e obtained in the previous step for CSRF protection (though this protection is insufficient).\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003efile_id\u003c/code\u003e parameter to the ID of a post they own, bypassing the initial authorization check.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the IDs of target posts (pages, attachments, etc.) into the \u003ccode\u003efile_ids[]\u003c/code\u003e array.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code iterates over the \u003ccode\u003efile_ids[]\u003c/code\u003e array and calls \u003ccode\u003ewp_delete_post()\u003c/code\u003e for each ID without validating ownership or post type.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewp_delete_post()\u003c/code\u003e is called with the \u003ccode\u003ebypass_trash\u003c/code\u003e argument set to \u003ccode\u003etrue\u003c/code\u003e, permanently deleting the targeted content.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully deletes arbitrary content from the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8380 can result in significant data loss and disruption of WordPress websites. An attacker can delete posts, pages, attachments, and custom post types, leading to defacement, denial of service, or exfiltration of sensitive information if attachments contained such data. The vulnerability affects all WordPress sites using the Frontend File Manager plugin version 23.6 or earlier. If the \u003ccode\u003e_allow_guest_upload\u003c/code\u003e option is enabled, exploitation requires no authentication, increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch or upgrade to a version of the Frontend File Manager plugin that addresses CVE-2026-8380.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003e_allow_guest_upload\u003c/code\u003e option in the Frontend File Manager plugin settings to prevent unauthenticated exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-8380 Exploitation Attempt via wp-admin AJAX\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-8380 Exploitation Attempt via admin-ajax POST Request\u0026rdquo; to detect the exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003ewpfm_delete_file\u003c/code\u003e and unusual combinations of \u003ccode\u003efile_id\u003c/code\u003e and \u003ccode\u003efile_ids[]\u003c/code\u003e parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T15:01:04Z","date_published":"2026-05-28T15:01:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8380-wordpress-plugin-vuln/","summary":"CVE-2026-8380 is a critical authorization bypass vulnerability in the WordPress Frontend File Manager plugin \u003c= 23.6 that allows authenticated low-privilege users, or unauthenticated users with guest uploads enabled, to permanently delete arbitrary WordPress posts, pages, attachments, and custom post types.","title":"CVE-2026-8380: WordPress Frontend File Manager Arbitrary Post Deletion","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8380-wordpress-plugin-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Frontend File Manager (Nmedia-User-File-Uploader) \u003c= 23.6","version":"https://jsonfeed.org/version/1.1"}