Path Traversal Vulnerability in Frontend File Manager for WordPress
CVE-2025-14804

7.7HIGH

Key Information:

Vendor: WordPress
Status: Frontend File Manager Plugin
Vendor: CVE Published:; 7 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-14804?

The Frontend File Manager Plugin for WordPress prior to version 23.5 is susceptible to a path traversal vulnerability. This issue arises from inadequate validation of a path parameter and the ownership of files. As a result, any authenticated user, including those with subscriber-level access, may exploit this weakness to delete arbitrary files from the server. This flaw emphasizes the importance of proper input validation and access control to safeguard against unauthorized file manipulation.

Affected Version(s)

Frontend File Manager Plugin 0 < 23.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-14804 - Proof of Concept

References

https://wpscan.com/vulnerability/c572c0ad-1b36-49ce-b254-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Jan 7, 2026
👾
Exploit known to exist
Jan 7, 2026
Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Dec 16, 2025

Credit

Gregory Allegoet & Bakir Tučić

WPScan

JSON