CVE-2026-1280

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-1280
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98
https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98
https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) El plugin Frontend File Manager para WordPress es vulnerable al uso compartido de archivos no autorizado debido a una comprobación de capacidad faltante en la acción AJAX 'wpfm_send_file_in_email' en todas las versiones hasta la 23.5, inclusive. Esto permite a atacantes no autenticados compartir archivos subidos arbitrarios por correo electrónico al proporcionar un ID de archivo. Dado que los ID de archivo son enteros secuenciales, los atacantes pueden enumerar todos los archivos subidos en el sitio y exfiltrar datos sensibles que estaban destinados a ser restringidos solo a los administradores.

28 Jan 2026, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-28 12:15

Updated : 2026-06-17 10:15

NVD link : CVE-2026-1280

Mitre link : CVE-2026-1280

CVE.ORG link : CVE-2026-1280

JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization