– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1280:
This vulnerability is a missing authorization flaw in the Frontend File Manager WordPress plugin. It allows unauthenticated attackers to share arbitrary uploaded files via email. The vulnerability affects all plugin versions up to and including 23.5, with a CVSS score of 7.5.

Root Cause:
The vulnerability exists because the `wpfm_send_file_in_email` AJAX action handler lacks proper authorization checks. In the vulnerable version, the function `wpfm_send_file_in_email()` in `/inc/callback-functions.php` does not verify if the user is logged in or has permission to access the file. The function only checks for a nonce, but this check is commented out in the vulnerable code. The `$arrays.php` file also incorrectly sets `”wpfm_send_file_in_email” => true`, which registers the AJAX action as accessible to unauthenticated users.

Exploitation:
Attackers can send POST requests to `/wp-admin/admin-ajax.php` with the `action` parameter set to `wpfm_send_file_in_email`. They must include a `file_id` parameter containing a sequential integer ID of an uploaded file. Since file IDs are typically sequential, attackers can enumerate all files on the site by iterating through integer IDs. The request triggers the plugin to email the file to an attacker-specified address, effectively exfiltrating sensitive data intended only for administrators.

Patch Analysis:
The patch adds three critical security checks to the `wpfm_send_file_in_email()` function. First, it uncomments and enables the nonce verification. Second, it adds `if (!is_user_logged_in())` to require authentication. Third, it adds `if (!wpfm_is_current_user_post_author($file_id))` to verify file ownership. The patch also changes the `arrays.php` entry from `true` to `false`, preventing unauthenticated AJAX registration. These changes ensure only authenticated users who own files can share them.

Impact:
Successful exploitation allows complete data exfiltration of all uploaded files. Attackers can access sensitive documents, images, and other files that administrators uploaded through the plugin. This includes confidential business documents, personal identification files, and proprietary information. The sequential nature of file IDs makes enumeration trivial, potentially exposing the entire file repository.