Frontend File Manager Plugin <= 23.6 – Subscriber+ Stored Cross-Site Scripting via File Rename | CVE 2026-8378

Description

The plugin does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

nmedia-user-file-uploader

No known fix

References

CVE

CVE-2026-8378

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.0 (high)

Miscellaneous

Original Researcher

Mohamad Nour Almujarkesh

Submitter

Mohamad Nour Almujarkesh

Verified

Yes

WPVDB ID

19f5dd94-b16c-4ad2-9586-d15ddecf9805

Timeline

Publicly Published

2026-06-02 (about 22 days ago)

Added

2026-06-02 (about 21 days ago)

Last Updated

2026-06-02 (about 21 days ago)

Other

Published

Title

Published

2026-03-23

Title

KiviCare – Clinic & Patient Management System (EHR) < 4.0.0 - Reflected Cross-Site Scripting

Published

2024-07-01

Title

Elementor – Header, Footer & Blocks Template < 1.6.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-03-30

Title

Donorbox < 7.1.7 - Admin+ Stored Cross-Site Scripting

Published

2024-11-22

Title

Quotes llama < 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-25

Title

Fancy Comments WordPress < 1.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode