CVE-2026-1280

Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter

Description

The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.

INFO

Published Date :

2026-01-28T11:23:41.307Z

Last Modified :

2026-04-08T17:30:20.675Z

Source :

Wordfence

AFFECTED PRODUCTS

The following products are affected by CVE-2026-1280 vulnerability.

Vendors	Products
Najeebmedia	Frontend File Manager Plugin
Wordpress	Wordpress

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-1280.

URL	Resource
https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98
https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98
https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact