Unauthorized Data Deletion in Frontend File Manager Plugin for WordPress
CVE-2023-7306

7.5HIGH

Key Information:

Vendor: WordPress
Status: Frontend File Manager Plugin
Vendor: CVE Published:; 25 July 2025

What is CVE-2023-7306?

The Frontend File Manager Plugin for WordPress has a security flaw that allows attackers to delete arbitrary posts due to a lack of proper capability checks in the wpfm_delete_multiple_files() function. This vulnerability affects all versions up to and including 21.5, and it can be exploited by unauthenticated users to lead to the unauthorized loss of critical data.

Affected Version(s)

Frontend File Manager Plugin * <= 21.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2912124/nmed...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 25, 2025
Vulnerability Reserved
Jul 24, 2025