Authenticated Arbitrary File Deletion in Frontend File Manager Plugin for WordPress
CVE-2026-8095

8.1HIGH

Key Information:

Vendor: WordPress
Status: Frontend File Manager Plugin
Vendor: CVE Published:; 27 June 2026

What is CVE-2026-8095?

The Frontend File Manager Plugin for WordPress suffers from a critical vulnerability that enables authenticated attackers to perform arbitrary file deletion. This flaw arises from a case-sensitive bypass in the wpfm_dir_path parameter sanitization, permitting attackers to manipulate file paths and potentially delete essential files on the server. Specifically, this vulnerability affects versions up to and including 23.6, enabling users with Subscriber-level access to target and delete sensitive files such as wp-config.php. This silent exploitation can lead to complete site compromise, allowing for unauthorized access and data loss.

Affected Version(s)

Frontend File Manager Plugin 0 <= 23.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/nmedia-user-fi...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2026
Vulnerability Reserved
May 7, 2026

Credit

sorawautsukushiii

CVE-2026-8095 Data

JSON