CVE-2026-1280 Overview
The Frontend File Manager Plugin for WordPress contains a critical authorization vulnerability that allows unauthenticated attackers to share arbitrary uploaded files via email. The vulnerability exists due to a missing capability check on the wpfm_send_file_in_email AJAX action in all versions up to and including 23.5. This security flaw enables malicious actors to enumerate and exfiltrate sensitive files that were intended to be restricted to administrators only.
Critical Impact
Unauthenticated attackers can enumerate all uploaded files using sequential integer IDs and exfiltrate sensitive data via email, potentially exposing confidential documents, user uploads, and administrator-restricted content.
Affected Products
- Frontend File Manager Plugin for WordPress versions up to and including 23.5
- WordPress sites using the nmedia-user-file-uploader plugin
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-1280 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-1280
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), representing a fundamental access control failure in the plugin's architecture. The wpfm_send_file_in_email AJAX endpoint processes file sharing requests without verifying whether the requesting user has the appropriate permissions to access or share the specified file.
The vulnerability is particularly severe because it can be exploited by completely unauthenticated users—no WordPress account or session is required. The attack surface is exposed through WordPress's standard AJAX interface, making it accessible to any external attacker who can send HTTP requests to the target site.
Root Cause
The root cause lies in the missing capability check within the callback function handling the wpfm_send_file_in_email AJAX action. The vulnerable code, located in inc/callback-functions.php, processes file sharing requests without validating user permissions or ownership. WordPress plugins are expected to implement proper authorization checks using functions like current_user_can() before performing sensitive operations—this plugin fails to implement such checks for this particular endpoint.
Attack Vector
The attack exploits the network-accessible AJAX endpoint with no authentication requirements. An attacker can craft HTTP requests to the WordPress AJAX handler (admin-ajax.php) specifying the wpfm_send_file_in_email action along with a target file ID.
Since file IDs in the plugin are sequential integers, attackers can systematically enumerate all uploaded files on the site by iterating through ID values. For each valid file ID discovered, the attacker can specify their own email address to receive the file, effectively exfiltrating the contents. This enumeration technique allows attackers to harvest all files uploaded through the plugin, regardless of the original access restrictions configured by administrators.
The attack requires no user interaction and can be fully automated, allowing rapid data exfiltration from vulnerable WordPress installations.
Detection Methods for CVE-2026-1280
Indicators of Compromise
- Unusual volume of AJAX requests to admin-ajax.php with the wpfm_send_file_in_email action
- Sequential file ID patterns in request parameters suggesting enumeration activity
- Outbound emails containing file attachments sent to unfamiliar or external email addresses
- Spike in server-side email processing tied to the Frontend File Manager Plugin
Detection Strategies
- Monitor web server access logs for repeated POST requests to admin-ajax.php with action=wpfm_send_file_in_email
- Implement rate limiting on AJAX endpoints to detect and block enumeration attempts
- Configure email server logging to track unusual file sharing activity originating from WordPress
- Deploy Web Application Firewall (WAF) rules to identify and block requests with sequential file ID patterns
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX actions, particularly file-related operations
- Set up alerts for bulk email sending activity originating from the WordPress installation
- Regularly audit uploaded files and review sharing logs for unauthorized access attempts
- Monitor for requests from single IP addresses iterating through numeric file IDs
How to Mitigate CVE-2026-1280
Immediate Actions Required
- Update the Frontend File Manager Plugin to a version newer than 23.5 when available
- Temporarily disable the Frontend File Manager Plugin if no patch is available
- Review uploaded files for sensitive content that may have been exposed
- Audit email logs to identify any unauthorized file sharing that may have already occurred
- Implement WAF rules to block unauthenticated requests to the vulnerable AJAX action
Patch Information
Organizations should monitor the WordPress Plugin Repository for updated versions that address this vulnerability. The Wordfence Vulnerability Report provides additional tracking information for this CVE.
Workarounds
- Disable the wpfm_send_file_in_email AJAX action by adding custom code to block the endpoint
- Restrict access to admin-ajax.php for unauthenticated users if site functionality permits
- Implement server-level access controls to limit requests to WordPress AJAX endpoints
- Consider migrating to an alternative file management plugin with proper authorization controls
# WordPress configuration to restrict AJAX access (add to wp-config.php or functions.php)
# Block unauthenticated access to the vulnerable AJAX action
add_action('wp_ajax_nopriv_wpfm_send_file_in_email', function() {
wp_die('Unauthorized access', 'Error', array('response' => 403));
}, 1);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
